From terry at BIZARSOFTWARE.COM.AU  Fri Oct 15 05:41:31 2004
From: terry at BIZARSOFTWARE.COM.AU (Terry Kerr)
Date: Fri, 15 Oct 2004 05:41:31 +0200
Subject: [PYTHON-CRYPTO] set SSLVerifyClient in ZServerSSL
Message-ID: <LISTSERV%2004101505413123@NIC.SURFNET.NL>

Hi,

We are using M2Crypto's ZServerSSL with our Zope application and after
upgrading to the m2crypto 0.13 from 0.6, IE on a Mac cannot connect to the
server.  It complains "Security Failure. Personal certificate required." and
will not connect. IE 5 on win2000 actually asks for a client certificate,
but  you are not required to select one, and the connection will still work.
All other browser I have tested include IE6 on win2000/XP and mozilla on
linux, safari on Mac, and netscape all work fine.

>From by research I beleive this is due to SSLVerifyClient being set to
'optional' at the server.  This has obviously changed from m2crypto 0.6
along the way somewhere, and my questions is, how do I set SSLVerifyClient
to false in my ZServerSSL to get rid of the error?

terry



From ngps at NETMEMETIC.COM  Fri Oct 15 11:29:25 2004
From: ngps at NETMEMETIC.COM (Ng Pheng Siong)
Date: Fri, 15 Oct 2004 17:29:25 +0800
Subject: [PYTHON-CRYPTO] set SSLVerifyClient in ZServerSSL
In-Reply-To: <LISTSERV%2004101505413123@NIC.SURFNET.NL>
References: <LISTSERV%2004101505413123@NIC.SURFNET.NL>
Message-ID: <20041015092925.GA441@vista.netmemetic.com>

On Fri, Oct 15, 2004 at 05:41:31AM +0200, Terry Kerr wrote:
> >From by research I beleive this is due to SSLVerifyClient being set to
> 'optional' at the server.  This has obviously changed from m2crypto 0.6
> along the way somewhere, and my questions is, how do I set SSLVerifyClient
> to false in my ZServerSSL to get rid of the error?

Assuming you're on Zope 2.7, in <zope_instance>/etc/zope.conf's section for
https-server, setting x509-remote-user to off should do it.

(I think the default should rightfully be off. Because of a packaging error
on my part, Zope 2.7's ZServerSSL isn't up on the repository; when I fix
that I'll set it to off.)

If you're on Zope 2.6, the default is off, but there is no configuration,
just code. Grep z2s.py for X509_REMOTE_USER.

Cheers.

--
Ng Pheng Siong <ngps at netmemetic.com>
http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL for Zope, Blog