Message-ID:

Remember: Silly is a state of Mind, Stupid is a way of Life. -- Dave Butler

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

Re: ssl server: how to disable client cert verfication?

<mailman.13.1643926025.27178.python-list@python.org>

https://www.novabbs.com/devel/article-flat.php?id=16888&group=comp.lang.python#16888

copy link Newsgroups: comp.lang.python

Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: bar...@barrys-emacs.org (Barry)
Newsgroups: comp.lang.python
Subject: Re: ssl server: how to disable client cert verfication?
Date: Thu, 3 Feb 2022 21:52:41 +0000
Lines: 72
Message-ID: <mailman.13.1643926025.27178.python-list@python.org>
References: <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
<15D2E951-9767-4A40-8EAC-DDA63D611ACF@barrys-emacs.org>
Mime-Version: 1.0 (1.0)
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: news.uni-berlin.de 5jiB29bNBsJ2uqkhsiTYRgKvQniFKzpMAyFyvY5fOYrA==
Return-Path: <barry@barrys-emacs.org>
X-Original-To: Python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=none reason="no signature";
dkim-adsp=none (unprotected policy); dkim-atps=neutral
X-Spam-Status: OK 0.000
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; '2022': 0.05; 'is.': 0.05;
'(to': 0.07; 'app.': 0.07; 'certificates': 0.07; 'cc:addr:python-
list': 0.09; "client's": 0.09; 'from:addr:barry': 0.09;
'received:217.70': 0.09; 'received:217.70.178': 0.09;
'received:gandi.net': 0.09; 'received:mail.gandi.net': 0.09;
'subject:how': 0.09; 'trivial': 0.09; 'utility': 0.09; 'cc:no real
name:2**0': 0.14; 'url:mailman': 0.15; '2022,': 0.16; 'accepted.':
0.16; 'barry': 0.16; 'cert': 0.16; 'certificate.': 0.16;
'expired': 0.16; 'from:addr:barrys-emacs.org': 0.16; 'hands.':
0.16; 'kumaran': 0.16; 'kushal': 0.16; 'message-id:@barrys-
emacs.org': 0.16; 'ssl': 0.16; 'subject:client': 0.16;
'subject:disable': 0.16; 'wrote:': 0.16; 'feb': 0.17; 'grant':
0.17; "can't": 0.17; 'thu,': 0.19; 'cc:addr:python.org': 0.20;
"i've": 0.22; 'returns': 0.22; 'code': 0.23; 'goal': 0.23; 'skip:p
30': 0.23; 'anything': 0.25; 'url-ip:188.166.95.178/32': 0.25;
'url-ip:188.166.95/24': 0.25; 'url:listinfo': 0.25; 'cc:2**0':
0.25; 'url-ip:188.166/16': 0.25; 'seems': 0.26; 'certificate':
0.26; '>>>': 0.28; 'expect': 0.28; 'whole': 0.30; 'am,': 0.31;
'url-ip:188/8': 0.31; 'context': 0.32; 'knowledge,': 0.32;
'requiring': 0.32; 'but': 0.32; "i'm": 0.33; 'server': 0.33;
'header:In-Reply-To:1': 0.34; 'using': 0.37; "it's": 0.37; 'way':
0.38; 'enough': 0.39; 'use': 0.39; 'on.': 0.39; 'explain': 0.40;
'want': 0.40; 'provide': 0.60; 'best': 0.61; 'true': 0.63;
'simply': 0.63; 'validation': 0.64; 'your': 0.64; 'benefit': 0.65;
'let': 0.66; 'received:217': 0.67; 'matter': 0.68; 'interested':
0.68; 'permit': 0.69; 'care': 0.71; 'near': 0.76; 'out.': 0.80;
'client,': 0.81; 'client': 0.82; 'garbage': 0.84; 'outline': 0.91;
'validated': 0.91
In-Reply-To: <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
X-Mailer: iPad Mail (19D50)
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <15D2E951-9767-4A40-8EAC-DDA63D611ACF@barrys-emacs.org>
X-Mailman-Original-References: <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>

by: Barry - Thu, 3 Feb 2022 21:52 UTC

> On 3 Feb 2022, at 21:34, Grant Edwards <grant.b.edwards@gmail.com> wrote:
>
> On 2022-02-03, Kushal Kumaran <kushal@locationd.net> wrote:
>
>>> On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards <grant.b.edwards@gmail..com> wrote:
>>> I've got a small ssl server app. I want to require a certificate from
>>> the client, so I'm using a context with
>>>
>>> context.verify_mode = ssl.CERT_REQUIRED
>>>
>>> But, I want all certificates accepted. How do I disable client
>>> certificate verification?
>>>
>>
>> Perhaps you can explain what your goal is.
>
> It's a troubleshooting utility for displaying a client's certificate.
>
>> Which kinds of client certificates do you want to permit
>
> All of them. Anything that's parsable as an X509 certificate no matter
> how "invalid" it is.
>
>> (to the best of my knowledge, none of these can be actually allowed):
>>
>> - expired certificates
>> - self-signed certificates
>> - certificates signed by untrusted CA
>> - completely garbage certificates (bad signature, etc.)
>>
>> I don't see what benefit you expect from requiring client
>> certificates if you don't care what the certificate says.
>
> I do care what it says. The whole point is to find out what it says.
>
> I just don't want it validated by the SSL layer: I want to print it
> out. That seems to be trivial to do for server certificates using
> "openssl s_client", but I can't find any way to do it for client
> certficates.
>
>> Why not simply set verify_mode to SSL_NONE and use other
>> authentication mechanisms?
>
> I'm not interested in doing any authentication.
>
> I just want to require that the client provide a certificate and then
> print it out using print(connection.getpeercert())

I am not near the pc with the code on. But in outline you provide a ssl context that
returns true for the validation of the cert always. You also get to have x509 cert
in your hands. I use pyopenssl to play with x.509 certs.

Let me know if this is not enough info and I will dig out the code I have that
does this custom cert stuff.

Barry

>
> --
> Grant
>
>
> --
> https://mail.python.org/mailman/listinfo/python-list
>

Subject	Author
Re: ssl server: how to disable client cert verfication?	Barry