ssl server: how to disable client cert verfication?

[Grant Edwards]

On 2022-02-04, Kushal Kumaran <kushal at locationd.net> wrote:

>> It's a troubleshooting utility for displaying a client's certificate.
>>
>>> Which kinds of client certificates do you want to permit
>>
>> All of them. Anything that's parsable as an X509 certificate no matter
>> how "invalid" it is.
>>
>
> Does `openssl x509 -in <filename> -text -noout` do what you want?

Where does <filename> come from?

>> I just don't want it validated by the SSL layer: I want to print it
>> out. That seems to be trivial to do for server certificates using
>> "openssl s_client", but I can't find any way to do it for client
>> certficates.
>
> In your place, I would simply use the openssl x509 command.

How does the x509 command obtain the certificate from the
client/server handshake?

> If I wanted more/different info, I would write a script to load the
> certificate and printed out the relevant info.

How does one "load the certificate" from the client?

> If this functionality must be provided by a server,

> I would write it so that a certificate could be POSTed to
> the server (without using client certificates),

The problem is in getting the certificate is provided by the client
during the handshake with the server. Don't worry about how to
parse/print it -- I can deal with that.

> I don't know how to use the stdlib's ssl module to do this kind of
> parsing.

I'm not asking about parsing x509 certificates. That's not the
problem.

The problem is _getting_ the client certificate that was provided
during the client/server handshake. That's trivial if the handshake
was successful. The problem is obtaining the client certificate when
the handshake fails. I was hoping there was a way to disable client
certificate validation so that the handshake will succeed and then
allow me to get the client certificate from the connection object.

--
Grant