ssl server: how to disable client cert verfication?
Grant Edwards
grant.b.edwards at gmail.com
Fri Feb 4 14:40:30 EST 2022
On 2022-02-04, Christian Heimes <christian at python.org> wrote:
> On 04/02/2022 19.24, Grant Edwards wrote:
>> The problem is _getting_ the client certificate that was provided
>> during the client/server handshake. That's trivial if the handshake
>> was successful. The problem is obtaining the client certificate when
>> the handshake fails. I was hoping there was a way to disable client
>> certificate validation so that the handshake will succeed and then
>> allow me to get the client certificate from the connection object.
>
> FYI, it's more complicated in TLS 1.3. Post-handshake authentication
> (PHA) can happen out-of-bounce. Only TLS 1.2 performs client cert auth
> during handshake or renegotiation.
That's fine. I can force TLS 1.2 to be used. I don't think there are
going to be situations where the choice of 1.2 vs 1.3 will affect what
certificate is supplied by the client.
The 1.3 PHA would also be OK as long as
1. I can disable verification of the client certificate that's
obtained via PHA.
2. I can obtain the client certificated that was sent during PHA.
What's odd is that it's trivial to do what I want from the client side
using "openssl s_client", but there doesn't seem to be any way to do
the corresponding using "openssl s_server".
I'm beginning to suspect this is a deficiency in the openssl library
itself.
--
Grant
More information about the Python-list
mailing list