Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Uncertain fortune is thoroughly mastered by the equity of the calculation. -- Blaise Pascal

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

SubjectAuthor
o Re: ssl server: how to disable client cert verfication?Grant Edwards

1
Re: ssl server: how to disable client cert verfication?

<mailman.14.1644003811.7010.python-list@python.org>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=16910&group=comp.lang.python#16910

  copy link   Newsgroups: comp.lang.python
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: grant.b....@gmail.com (Grant Edwards)
Newsgroups: comp.lang.python
Subject: Re: ssl server: how to disable client cert verfication?
Date: Fri, 04 Feb 2022 11:43:28 -0800 (PST)
Lines: 25
Message-ID: <mailman.14.1644003811.7010.python-list@python.org>
References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<dc15a63b-cd2c-fc97-70e4-c7ca5e65bf80@python.org>
<61fd81e0.1c69fb81.869b.7952@mx.google.com>
X-Trace: news.uni-berlin.de VpVctoGENvVU/rRvwGG6bAjgwbaQ+hJU/rzvoGZ1H2eA==
Return-Path: <grant.b.edwards@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=gmail.com header.i=@gmail.com header.b=NJBCRuEX;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.004
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; "python's": 0.05; 'app.':
0.07; 'certificates': 0.07; 'lets': 0.07; 'subject:how': 0.09;
'that.': 0.15; 'accepted.': 0.16; 'cert': 0.16; 'expose': 0.16;
'from:addr:grant.b.edwards': 0.16; 'from:name:grant edwards':
0.16; 'impossible': 0.16; 'ssl': 0.16; 'subject:client': 0.16;
'subject:disable': 0.16; 'wrote:': 0.16; 'grant': 0.17; 'to:addr
:python-list': 0.20; 'option': 0.20; "i've": 0.22; 'thanks!':
0.24; 'certificate': 0.26; 'header:User-Agent:1': 0.30; 'seem':
0.31; 'module': 0.31; 'christian': 0.32; 'context': 0.32; "i'm":
0.33; "i'll": 0.33; 'server': 0.33; "didn't": 0.34;
'received:google.com': 0.34; 'received:209.85.166': 0.35;
'from:addr:gmail.com': 0.35; 'using': 0.37; 'received:209.85':
0.37; 'received:209': 0.39; 'necessary': 0.39; 'want': 0.40;
'verification': 0.62; 'simply': 0.63; 'look': 0.65; 'ignore':
0.71; 'client,': 0.81; 'client': 0.82; 'callback': 0.84
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=message-id:date:from:subject:references:user-agent:to;
bh=s5REmadJfGvWmkCoEJHejqF7fTUGz7Zs8W/b8RSZKLk=;
b=NJBCRuEXC2ZQSkcuuR0KRv5Q4699G8/fQ6PzilLReyZLgTn9xCkGLkpV7EYt8vfgNl
iv29yPAmN+/jsPf4KcTvcegpxNvmzj5mS60zbIbJzQcfEyb4TR4pUuR4U9jU9II6d78s
GPe1DnTPELUlqGigr55Kzn8NL6fZsxKXnZZDKvT6uCygUNLrWf7t+WYnyfTX3XIxm70i
0xodV6Prqezwqbwj0kH86BPLrTcux07QPSxP0Mmt9n8/Y+7hmwZmonFElPvz5AviwJJF
SobbbmVUuwtng19NZT6DbRHoH3GvGzHR47f72PpUVIFNEMHMVdRsoTdT7gdaM2+VDBZr
EIeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:message-id:date:from:subject:references
:user-agent:to;
bh=s5REmadJfGvWmkCoEJHejqF7fTUGz7Zs8W/b8RSZKLk=;
b=YehcnG74dV1oK8zLgdgnFy3w/U7uU5HdhnHF0DFlGFD9d+T2RNTH2+XoNWOPkWt0WX
ounhgCVAZUu2MtiJj6Xi4efJuO8jA7DDOAeZLRPs+fhyOIWPigIhMylI2HfIUDf89dD0
cVCRKYCdSgr7ngq7Wtv22eOItO8an9Y0SlmUjVG9SBwIcdwjp2Y4IeSRaBqkKVdrFsBp
2FKbfhWWhptMA+BmLDJ0O6EQolqLHMWQgqd7iqL01RcB+02T8TiJ6NsO0+rPBGVc0x6g
WmddY7nGXJvFpkcOAIPb/WMqvoRB/HeKNJi3ENa4SVAfiCq55MkFvfwNLKfaqSVSqxP3
gZlQ==
X-Gm-Message-State: AOAM531zRUwJt/8ewEAaNmeSg3VAbB4UQHzX7Lwc6UeQaP4i1FmRMSJv
gMJTy6SmMt9faJW0wkwlFSvVwuW+xD0=
X-Google-Smtp-Source: ABdhPJzMuTT8H8TccgObP8bvqP9kUuAC5n6MuZAXbKM4DtR7A5ViApxtMBb/kSMY+mxWaquv4Igd1w==
X-Received: by 2002:a05:6e02:19c9:: with SMTP id
r9mr375679ill.13.1644003808920;
Fri, 04 Feb 2022 11:43:28 -0800 (PST)
User-Agent: slrn/1.0.3 (Linux)
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <61fd81e0.1c69fb81.869b.7952@mx.google.com>
X-Mailman-Original-References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<dc15a63b-cd2c-fc97-70e4-c7ca5e65bf80@python.org>
 by: Grant Edwards - Fri, 4 Feb 2022 19:43 UTC

On 2022-02-04, Christian Heimes <christian@python.org> wrote:
> On 03/02/2022 19.57, Grant Edwards wrote:
>> I've got a small ssl server app. I want to require a certificate from
>> the client, so I'm using a context with
>>
>> context.verify_mode = ssl.CERT_REQUIRED
>>
>> But, I want all certificates accepted. How do I disable client
>> certificate verification?
>
> You can't. Python's ssl module does not expose the necessary feature to
> override the verification callback SSL_CTX_set_verify(). PyOpenSSL lets
> you set a callback and ignore any and all errors.

Thanks! I'll look into that.

Since "openssl s_client" didn't seem to have any option to ignore
client cert validity, I was starting to wonder if ignoring it was
simply impossible with openssl.

--
Grant

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor