Issue31242
Created on 2017-08-20 21:49 by rfinnie, last changed 2022-04-11 14:58 by admin.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 31391 | open | freundTech, 2022-02-17 16:34 | |
| Messages (5) | |||
|---|---|---|---|
| msg300607 - (view) | Author: Ryan Finnie (rfinnie) | Date: 2017-08-20 21:49 | |
At the moment, SSLContext.verify_mode() allows for three modes when dealing with Purpose.CLIENT_AUTH / server_side=True: - CERT_NONE (server does not request client certificate, client does not provide it) - CERT_OPTIONAL (server requests client certificate, raises SSLError if provided but fails verification, continues if not provided) - CERT_REQUIRED (server requests client certificate, raises SSLError if provided but fails verification, raises SSLError if not provided) There is currently no way to request a client certificate and manually verify it (or ignore it) if it doesn't pass OpenSSL verification. OpenSSL provides SSL_CTX_set_cert_verify_callback for using a custom callback[0], but this is not exposed in Python. It would be nice to have a set_verify_callback() method, similar to how set_servername_callback() does it for SSL_CTX_set_tlsext_servername_callback. [0] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html |
|||
| msg359268 - (view) | Author: Kent Watsen (kwatsen) | Date: 2020-01-04 01:17 | |
Very much needing this! My situation is a mutli-tenant asynchio-based server whereby each tenant is able to configure other clients that can connect. The current strategy requires all certs to be known up-front that, for now, necessitates a painful restart whenever new auth for a client-certificate is configured. |
|||
| msg413417 - (view) | Author: Adrian Freund (freundTech) * | Date: 2022-02-17 16:54 | |
I also need this feature for something I'm working on, so I looked into it a bit and pushed a small proof of concept implementation to GitHub (See PR 31391). I'm not sure if I'll have enough time to finish and clean up this implementation, but at least there is a starting point. I also opened bpo-46779 as a simpler method to solve most of the usecases that would be solved by this api. |
|||
| msg413422 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2022-02-17 18:09 | |
Unfortunately a generic and future-proof verify callback is much more work. We need to expose and wrap X509_STORE_CTX, X509_STORE, X509 (include STACK_OF(X509)), and probably several other OpenSSL structures. We also need to expose error codes. |
|||
| msg413424 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2022-02-17 18:10 | |
bpo-28747 was an older ticket for implementing a callback. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:50 | admin | set | github: 75425 |
| 2022-02-17 18:10:47 | christian.heimes | set | assignee: christian.heimes -> messages: + msg413424 |
| 2022-02-17 18:09:02 | christian.heimes | set | superseder: Expose SSL_CTX_set_cert_verify_callback messages: + msg413422 |
| 2022-02-17 16:54:35 | freundTech | set | messages:
+ msg413417 versions: + Python 3.11, - Python 3.8 |
| 2022-02-17 16:34:48 | freundTech | set | keywords:
+ patch stage: needs patch -> patch review pull_requests: + pull_request29536 |
| 2022-02-17 08:35:48 | freundTech | set | nosy:
+ freundTech |
| 2020-11-11 22:15:58 | MineRobber9000 | set | nosy:
+ MineRobber9000 |
| 2020-11-11 19:29:01 | christian.heimes | link | issue42326 superseder |
| 2020-01-04 01:17:53 | kwatsen | set | messages: + msg359268 |
| 2020-01-03 23:49:27 | kwatsen | set | nosy:
+ kwatsen |
| 2018-11-07 09:07:00 | David Peall | set | nosy:
+ David Peall |
| 2018-02-26 08:25:15 | christian.heimes | set | stage: needs patch versions: + Python 3.8 |
| 2017-08-20 21:49:16 | rfinnie | create | |