Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

Have you reconsidered a computer career?

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

SubjectAuthor
o Re: ssl server: how to disable client cert verfication?Kushal Kumaran

1
Re: ssl server: how to disable client cert verfication?

<mailman.2.1643955791.7010.python-list@python.org>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=21306&group=comp.lang.python#21306

  copy link   Newsgroups: comp.lang.python
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!news.mixmin.net!news2.arglkargh.de!news.karotte.org!fu-berlin.de!uni-berlin.de!not-for-mail
From: kushal@locationd.net (Kushal Kumaran)
Newsgroups: comp.lang.python
Subject: Re: ssl server: how to disable client cert verfication?
Date: Thu, 03 Feb 2022 18:25:05 -0800
Lines: 70
Message-ID: <mailman.2.1643955791.7010.python-list@python.org>
References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<87o83nkaoy.fsf@locationd.net>
<61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
<87bkznqsfy.fsf@locationd.net>
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: news.uni-berlin.de cu5UzG7Lz1DEvLyVAKw/dwCO5dlTcVORqHdc7bk5hwDg==
Return-Path: <kushal@locationd.net>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=none reason="no signature";
dkim-adsp=none (unprotected policy); dkim-atps=neutral
X-Spam-Status: OK 0.002
X-Spam-Evidence: '*H*': 1.00; '*S*': 0.00; '2022': 0.05; 'is.': 0.05;
'(to': 0.07; 'app.': 0.07; 'certificates': 0.07; "client's": 0.09;
'info,': 0.09; 'subject:how': 0.09; 'trivial': 0.09;
'url:reference': 0.09; 'utility': 0.09; '(without': 0.16;
'accepted.': 0.16; 'certificate.': 0.16; 'command.': 0.16;
'cryptography': 0.16; 'expired': 0.16; 'kumaran': 0.16; 'kushal':
0.16; 'parsing': 0.16; 'server,': 0.16; 'ssl': 0.16;
'subject:client': 0.16; 'subject:disable': 0.16; 'though:': 0.16;
'url:latest': 0.16; 'wrote:': 0.16; 'feb': 0.17; 'grant': 0.17;
"can't": 0.17; 'pm,': 0.19; 'thu,': 0.19; 'to:addr:python-list':
0.20; "i've": 0.22; 'goal': 0.23; 'skip:p 30': 0.23; 'anything':
0.25; 'seems': 0.26; 'certificate': 0.26; '>>>': 0.28; 'expect':
0.28; 'printed': 0.28; 'header:User-Agent:1': 0.30; 'whole': 0.30;
'am,': 0.31; 'module': 0.31; 'context': 0.32; 'knowledge,': 0.32;
'requiring': 0.32; 'but': 0.32; "i'm": 0.33; 'script': 0.33;
'server': 0.33; 'package': 0.34; 'header:In-Reply-To:1': 0.34;
'url-ip:104.17/16': 0.35; 'using': 0.37; "it's": 0.37; 'way':
0.38; 'could': 0.38; 'use': 0.39; 'explain': 0.40; 'want': 0.40;
'provide': 0.60; 'best': 0.61; 'load': 0.62; 'simply': 0.63;
'hear': 0.64; 'your': 0.64; 'benefit': 0.65; 'respond': 0.67;
'matter': 0.68; 'interested': 0.68; 'lie': 0.69; 'permit': 0.69;
'care': 0.71; 'relevant': 0.73; 'out.': 0.80; 'client,': 0.81;
'client': 0.82; 'garbage': 0.84; 'received:88': 0.84;
'standalone': 0.84; 'validated': 0.91
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
arsenic.locationd.net
X-Spam-Level:
X-Spam-Status: No, score=-2.5 required=5.0 tests=ALL_TRUSTED,BAYES_00
autolearn=ham autolearn_force=no version=3.4.2
X-Clacks-Overhead: GNU Terry Pratchett
In-Reply-To: <61fc49d4.1c69fb81.a405c.5b87@mx.google.com> (Grant Edwards's
message of "Thu, 03 Feb 2022 13:32:04 -0800 (PST)")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux)
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <87bkznqsfy.fsf@locationd.net>
X-Mailman-Original-References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<87o83nkaoy.fsf@locationd.net>
<61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
 by: Kushal Kumaran - Fri, 4 Feb 2022 02:25 UTC

On Thu, Feb 03 2022 at 01:32:04 PM, Grant Edwards <grant.b.edwards@gmail.com> wrote:
> On 2022-02-03, Kushal Kumaran <kushal@locationd.net> wrote:
>
>> On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards <grant.b.edwards@gmail.com> wrote:
>>> I've got a small ssl server app. I want to require a certificate from
>>> the client, so I'm using a context with
>>>
>>> context.verify_mode = ssl.CERT_REQUIRED
>>>
>>> But, I want all certificates accepted. How do I disable client
>>> certificate verification?
>>>
>>
>> Perhaps you can explain what your goal is.
>
> It's a troubleshooting utility for displaying a client's certificate.
>
>> Which kinds of client certificates do you want to permit
>
> All of them. Anything that's parsable as an X509 certificate no matter
> how "invalid" it is.
>

Does `openssl x509 -in <filename> -text -noout` do what you want?

>> (to the best of my knowledge, none of these can be actually allowed):
>>
>> - expired certificates
>> - self-signed certificates
>> - certificates signed by untrusted CA
>> - completely garbage certificates (bad signature, etc.)
>>
>> I don't see what benefit you expect from requiring client
>> certificates if you don't care what the certificate says.
>
> I do care what it says. The whole point is to find out what it says.
>
> I just don't want it validated by the SSL layer: I want to print it
> out. That seems to be trivial to do for server certificates using
> "openssl s_client", but I can't find any way to do it for client
> certficates.
>

In your place, I would simply use the openssl x509 command. If I wanted
more/different info, I would write a script to load the certificate and
printed out the relevant info. If this functionality must be provided
by a server, I would write it so that a certificate could be POSTed to
the server (without using client certificates), and it would in turn do
the parsing equivalent to what the standalone script would do and
respond with the relevant info. (But I hear X.509 parsing is an
esoteric mess, and it's unclear to me what demons lie in the area of
parsing untrusted X.509 content).

I don't know how to use the stdlib's ssl module to do this kind of
parsing. The cryptography package makes this simple though:

https://cryptography.io/en/latest/x509/reference/#loading-certificates

>> Why not simply set verify_mode to SSL_NONE and use other
>> authentication mechanisms?
>
> I'm not interested in doing any authentication.
>
> I just want to require that the client provide a certificate and then
> print it out using print(connection.getpeercert())
>

--
regards,
kushal

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor