novaBBS - comp.lang.python - Re: ssl server: how to disable client cert verfication?

Re: ssl server: how to disable client cert verfication?

<mailman.14.1643927787.27178.python-list@python.org>

https://www.novabbs.com/devel/article-flat.php?id=16889&group=comp.lang.python#16889

copy link Newsgroups: comp.lang.python

Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: grant.b....@gmail.com (Grant Edwards)
Newsgroups: comp.lang.python
Subject: Re: ssl server: how to disable client cert verfication?
Date: Thu, 03 Feb 2022 14:36:25 -0800 (PST)
Lines: 31
Message-ID: <mailman.14.1643927787.27178.python-list@python.org>
References: <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
<15D2E951-9767-4A40-8EAC-DDA63D611ACF@barrys-emacs.org>
<61fc58e9.1c69fb81.f1e67.01bd@mx.google.com>
X-Trace: news.uni-berlin.de F72FSs/YneDDeM7NPk/UxwdAD2bbrHSzrT+R0yyNqWKQ==
Return-Path: <grant.b.edwards@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=gmail.com header.i=@gmail.com header.b=GxskFkXW;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.014
X-Spam-Evidence: '*H*': 0.97; '*S*': 0.00; 'preventing': 0.07;
'subject:how': 0.09; 'barry': 0.16; 'cert': 0.16; 'flag': 0.16;
'from:addr:grant.b.edwards': 0.16; 'from:name:grant edwards':
0.16; 'hands.': 0.16; 'skip:. 20': 0.16; 'spot': 0.16; 'ssl':
0.16; 'subject:client': 0.16; 'subject:disable': 0.16; 'times,':
0.16; 'treats': 0.16; 'wrote:': 0.16; 'problem': 0.16; 'grant':
0.17; 'to:addr:python-list': 0.20; 'option': 0.20; "i've": 0.22;
'returns': 0.22; 'code': 0.23; 'skip:p 30': 0.23; 'actual': 0.25;
'certificate': 0.26; "isn't": 0.27; 'requests': 0.28; 'header
:User-Agent:1': 0.30; 'looked': 0.31; 'context': 0.32; 'but':
0.32; 'able': 0.34; 'printing': 0.34; 'received:google.com': 0.34;
'received:209.85.166': 0.35; 'from:addr:gmail.com': 0.35; 'using':
0.37; 'received:209.85': 0.37; 'received:209': 0.39; 'enough':
0.39; 'valid': 0.39; 'use': 0.39; 'on.': 0.39; 'want': 0.40;
'provide': 0.60; 'connection': 0.61; 'true': 0.63; 'once': 0.63;
'validation': 0.64; 'your': 0.64; 'process.': 0.65; 'let': 0.66;
'near': 0.76; 'client': 0.82; 'outline': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=message-id:date:from:subject:references:user-agent:to;
bh=d/679TrPyBSx/RLia+q1WMIb9LiW4jjhwrdSeM+djko=;
b=GxskFkXWXj9tQeIZBj4ai0MsQFFxowqLbffKlDrxpmv4b9qE3j6o7ZaOcpWb2N5GHO
e+kBO6gpT0WdAi9CHOh/KirE42nM0nosFX1pnN3kbfq974FxdJ8QtzjZDbTJdIqIHQSG
bYm7cXxYxy3981Pj18EKlgYj7Rm7fQ0rTgfd7bTSNtEfcvCjeTFe8BIiTSVfWIhSYJkx
TJBkvVAmrTlKVxqmUEbpBb6Nt1N6D5jgBx5V1rVp4PSEzYKFLi4Xcp3GqaDw8TfGXt6M
GjDp97+n9vlVhNFOnAq6SQ9pogY50hyi2EyV9ndo2lGKhJ0c/yCswNnDwS/tqomE8fN5
meuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:message-id:date:from:subject:references
:user-agent:to;
bh=d/679TrPyBSx/RLia+q1WMIb9LiW4jjhwrdSeM+djko=;
b=f9uIC2WdqjCY9CHIea887omw81MnTBJjPmaLyLRRnfBDFZGn0y5BTpHFuUGxpKwMuZ
9HQkURG2uh7srWcqIbI1MIxVMOkIU8ED4Gj3ymoWcHyqbMXeCl4cGEDqYgiCu7SmZvLl
oBVzTUHEU6Ilzekr/3xI3LFOkdWNuWsRcDDE7BaIFXQVTodK0dXVAtu78jzISpntfM8X
frEIX9KvynRWLI8cIfUnKZ6Cp8mWEehgZb1+27O4o29aeYK45mqp3I+XS5cq+IbICvrF
W9neJVvmxH8enwU932/hvLuG5PLg5L4hLUtVL+ZmxYx8/ogsve2JkgVT1FvMacN0+bta
uscQ==
X-Gm-Message-State: AOAM533aCOYW4wgIblua4/XVMx50o1i0wu0KTLQlimJvBKfSIOMVDpJL
Wbx/pb7q+5ARQdJPUGDjSi8Y2q/3WpM=
X-Google-Smtp-Source: ABdhPJzzfgosQAmNrcLdQjQ+S2m/ijwgaRYv2daop+QMEtgaholtHPLy9RrZ0kddGn8uhRSOeycZTw==
X-Received: by 2002:a05:6638:2720:: with SMTP id
m32mr61545jav.65.1643927785653;
Thu, 03 Feb 2022 14:36:25 -0800 (PST)
User-Agent: slrn/1.0.3 (Linux)
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <61fc58e9.1c69fb81.f1e67.01bd@mx.google.com>
X-Mailman-Original-References: <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
<15D2E951-9767-4A40-8EAC-DDA63D611ACF@barrys-emacs.org>

by: Grant Edwards - Thu, 3 Feb 2022 22:36 UTC

On 2022-02-03, Barry <barry@barrys-emacs.org> wrote:
>
>> [...] I just want to require that the client provide a certificate
>> and then print it out using print(connection.getpeercert())
>
> I am not near the pc with the code on. But in outline you provide a
> ssl context that returns true for the validation of the cert always.

I thought that was what I was asking.

How do you create an ssl context that requests a client certificate
but then treats any received client certificate as valid?

I've looked through the ssl.Context documentation multiple times, and
haven't been able to spot any option or flag that disables client
certificate validation or allows the user to override the actual
client certificate validation process.

> You also get to have x509 cert in your hands. I use pyopenssl to
> play with x.509 certs.

I don't have any problem getting and printing the certificate once the
connection is established. The problem is preventing the handshake
from failing when the client certificate isn't valid and signed by a
CA provided to the context with .load_verify_locations().

> Let me know if this is not enough info and I will dig out the code I
> have that does this custom cert stuff.

--
Grant

panic: can't find /

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

Subject	Author
Re: ssl server: how to disable client cert verfication?	Grant Edwards