novaBBS - comp.lang.python - Re: ssl server: how to disable client cert verfication?

Re: ssl server: how to disable client cert verfication?

<mailman.9.1644001314.7010.python-list@python.org>

https://www.novabbs.com/devel/article-flat.php?id=16905&group=comp.lang.python#16905

copy link Newsgroups: comp.lang.python

Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: christ...@python.org (Christian Heimes)
Newsgroups: comp.lang.python
Subject: Re: ssl server: how to disable client cert verfication?
Date: Fri, 4 Feb 2022 20:01:53 +0100
Lines: 13
Message-ID: <mailman.9.1644001314.7010.python-list@python.org>
References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<87o83nkaoy.fsf@locationd.net> <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
<87bkznqsfy.fsf@locationd.net> <61fd6f67.1c69fb81.5db12.7425@mx.google.com>
<7dc6a1d4-7776-247d-355f-5246a555af6d@python.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-Trace: news.uni-berlin.de 7DH5futkhgpkWQkMO1houQ+oEc5mPqFykVlsEbKVy2eQ==
Return-Path: <christian@python.org>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=python.org; s=200901;
t=1644001313; bh=t/tinnqtJVFGox9ikxUNVYk/Vnhc6h+VMz3R/lDBh/Q=;
h=Date:Subject:To:References:From:In-Reply-To:From;
b=cu0G1HGSWkpU4FjogKWG/56PH4/JKO4PugKj5FavUon8faIxuuUDxaa1Zvc8bNVFM
0x/E6fXNIux7iQOhc44Yct2Dams7QNZwyqcfbetBxhgB1Gbvg7n+2PLigkxTUnFVKT
uCB55qcJnMY7yKjuzBFqMStVPM9tRQk6W7tozEkE=
Content-Language: en-US
In-Reply-To: <61fd6f67.1c69fb81.5db12.7425@mx.google.com>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <7dc6a1d4-7776-247d-355f-5246a555af6d@python.org>
X-Mailman-Original-References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<87o83nkaoy.fsf@locationd.net> <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
<87bkznqsfy.fsf@locationd.net> <61fd6f67.1c69fb81.5db12.7425@mx.google.com>

by: Christian Heimes - Fri, 4 Feb 2022 19:01 UTC

On 04/02/2022 19.24, Grant Edwards wrote:
> The problem is _getting_ the client certificate that was provided
> during the client/server handshake. That's trivial if the handshake
> was successful. The problem is obtaining the client certificate when
> the handshake fails. I was hoping there was a way to disable client
> certificate validation so that the handshake will succeed and then
> allow me to get the client certificate from the connection object.

FYI, it's more complicated in TLS 1.3. Post-handshake authentication
(PHA) can happen out-of-bounce. Only TLS 1.2 performs client cert auth
during handshake or renegotiation.

Christian

Computers are not intelligent. They only think they are.

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

Subject	Author
Re: ssl server: how to disable client cert verfication?	Christian Heimes