Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

I am the wandering glitch -- catch me if you can.

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

SubjectAuthor
o Re: ssl server: how to disable client cert verfication?Grant Edwards

1
Re: ssl server: how to disable client cert verfication?

<mailman.11.1643923926.27178.python-list@python.org>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=21298&group=comp.lang.python#21298

  copy link   Newsgroups: comp.lang.python
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: grant.b.edwards@gmail.com (Grant Edwards)
Newsgroups: comp.lang.python
Subject: Re: ssl server: how to disable client cert verfication?
Date: Thu, 03 Feb 2022 13:32:04 -0800 (PST)
Lines: 50
Message-ID: <mailman.11.1643923926.27178.python-list@python.org>
References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<87o83nkaoy.fsf@locationd.net>
<61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
X-Trace: news.uni-berlin.de Cmy9BlRgHAnrlKpFpz2LnA97wVHx5kQxzAlV7JFyf52A==
Return-Path: <grant.b.edwards@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=gmail.com header.i=@gmail.com header.b=XbjnR4ns;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.003
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; '2022': 0.05; 'is.': 0.05;
'(to': 0.07; 'app.': 0.07; 'certificates': 0.07; "client's": 0.09;
'subject:how': 0.09; 'trivial': 0.09; 'utility': 0.09;
'accepted.': 0.16; 'certificate.': 0.16; 'expired': 0.16;
'from:addr:grant.b.edwards': 0.16; 'from:name:grant edwards':
0.16; 'kumaran': 0.16; 'kushal': 0.16; 'ssl': 0.16;
'subject:client': 0.16; 'subject:disable': 0.16; 'wrote:': 0.16;
'feb': 0.17; 'grant': 0.17; "can't": 0.17; 'thu,': 0.19; 'to:addr
:python-list': 0.20; "i've": 0.22; 'goal': 0.23; 'skip:p 30':
0.23; 'anything': 0.25; 'seems': 0.26; 'certificate': 0.26;
'expect': 0.28; 'header:User-Agent:1': 0.30; 'whole': 0.30; 'am,':
0.31; 'context': 0.32; 'knowledge,': 0.32; 'requiring': 0.32;
'but': 0.32; "i'm": 0.33; 'server': 0.33; 'received:google.com':
0.34; 'received:209.85.166': 0.35; 'from:addr:gmail.com': 0.35;
'using': 0.37; "it's": 0.37; 'received:209.85': 0.37; 'way': 0.38;
'received:209': 0.39; 'use': 0.39; 'explain': 0.40; 'want': 0.40;
'provide': 0.60; 'best': 0.61; 'simply': 0.63; 'your': 0.64;
'benefit': 0.65; 'matter': 0.68; 'interested': 0.68; 'permit':
0.69; 'care': 0.71; 'out.': 0.80; 'client,': 0.81; 'client': 0.82;
'garbage': 0.84; 'validated': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=message-id:date:from:subject:references:user-agent:to;
bh=SrqYP6FI6k85BkbrpPZVJdOG9/7SSorCsQ6EEtdNNkI=;
b=XbjnR4nsiZjcpjNtNrDupwj7rkyCrJ03+cGpcBDlu3Wd5JpNq6evVdh3+04JF3vc0/
KlQffz1oaJOl+EGHGM/Cx3Dwq+cNcF0zNuWDe2ItznVAawXA0g7LHFBx5Q6w0qb8w2RT
onge0nZAjSB6JftTIQvFJJp1ONT5ya5HVuWlvZcEbzUD9SQ8hbasD2t4rJ7U9rCIVssx
GrQUSiAl+sWmjYwFf+z4JW+ThkM9kdY/t3iDydreuN9SOfGvVe7nbxJH0SoS2PvgFlVu
PyrJOH5JuFQtPGud6w4ZgcQLhxMvXDDb8jp3lYJeHtcCzBSWSpTUakrgQUfwpJWmvKw9
cu/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:message-id:date:from:subject:references
:user-agent:to;
bh=SrqYP6FI6k85BkbrpPZVJdOG9/7SSorCsQ6EEtdNNkI=;
b=QW7zl+tIMKMNB/g3ePnksjq0EHsyVpPoS0Ux1TYecdPYqviLG8/mXr+NRZH7kmyV85
7jwuInWiQzsV41APRE/be3q0dZECv8MFQqDkhQcvIfU72ikIO99RzVXmhkPWSQ3ImsNk
JB3pDMDKdy6xHMllTZk+Q9KqUm9PdPVLoJGaEgGC8VgoYLkfrZXvyAOQ51ftLN7mKw5x
Nnb2HN3scsLP8UOspqm7IGsDFT2dnuvBPzIoe6C/5gII6P7Rofyl6liV2dRla0hzaQ58
1uPy/1hoF1PVhWvCW97ROHECcdc8/oKO3oteKgOt/jIS6B3xnxuHYXAVCnhCM4+ZN9RJ
VdXQ==
X-Gm-Message-State: AOAM530iaCpShh36jnbfCVb8aZsughr55XA/tyr/6GMa4sFBb/VGaRLU
uHazUXmZgXE6gsbhhDlf3ayPrCWp1b8=
X-Google-Smtp-Source: ABdhPJxHg3Ms3EjSbI3i39Oi5w8+qmD1Kclerj7xuNGYn1CpNAMcIgvMIdEK6FlnxKwH4XqXSjWXWw==
X-Received: by 2002:a05:6602:1609:: with SMTP id
x9mr19336644iow.54.1643923924839;
Thu, 03 Feb 2022 13:32:04 -0800 (PST)
User-Agent: slrn/1.0.3 (Linux)
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
X-Mailman-Original-References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<87o83nkaoy.fsf@locationd.net>
 by: Grant Edwards - Thu, 3 Feb 2022 21:32 UTC

On 2022-02-03, Kushal Kumaran <kushal@locationd.net> wrote:

> On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards <grant.b.edwards@gmail.com> wrote:
>> I've got a small ssl server app. I want to require a certificate from
>> the client, so I'm using a context with
>>
>> context.verify_mode = ssl.CERT_REQUIRED
>>
>> But, I want all certificates accepted. How do I disable client
>> certificate verification?
>>
>
> Perhaps you can explain what your goal is.

It's a troubleshooting utility for displaying a client's certificate.

> Which kinds of client certificates do you want to permit

All of them. Anything that's parsable as an X509 certificate no matter
how "invalid" it is.

> (to the best of my knowledge, none of these can be actually allowed):
>
> - expired certificates
> - self-signed certificates
> - certificates signed by untrusted CA
> - completely garbage certificates (bad signature, etc.)
>
> I don't see what benefit you expect from requiring client
> certificates if you don't care what the certificate says.

I do care what it says. The whole point is to find out what it says.

I just don't want it validated by the SSL layer: I want to print it
out. That seems to be trivial to do for server certificates using
"openssl s_client", but I can't find any way to do it for client
certficates.

> Why not simply set verify_mode to SSL_NONE and use other
> authentication mechanisms?

I'm not interested in doing any authentication.

I just want to require that the client provide a certificate and then
print it out using print(connection.getpeercert())

--
Grant

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor