Rocksolid Light

Welcome to RetroBBS

mail  files  register  newsreader  groups  login

Message-ID:  

C:\> WIN Bad command or filename C:\> LOSE Loading Microsoft Windows ...

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

SubjectAuthor
o Re: ssl server: how to disable client cert verfication?Grant Edwards

1
Re: ssl server: how to disable client cert verfication?

<mailman.6.1643999082.7010.python-list@python.org>

  copy mid

https://www.rocksolidbbs.com/devel/article-flat.php?id=21313&group=comp.lang.python#21313

  copy link   Newsgroups: comp.lang.python
Path: i2pn2.org!i2pn.org!news.swapon.de!fu-berlin.de!uni-berlin.de!not-for-mail
From: grant.b.edwards@gmail.com (Grant Edwards)
Newsgroups: comp.lang.python
Subject: Re: ssl server: how to disable client cert verfication?
Date: Fri, 04 Feb 2022 10:24:39 -0800 (PST)
Lines: 56
Message-ID: <mailman.6.1643999082.7010.python-list@python.org>
References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<87o83nkaoy.fsf@locationd.net> <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
<87bkznqsfy.fsf@locationd.net>
<61fd6f67.1c69fb81.5db12.7425@mx.google.com>
X-Trace: news.uni-berlin.de 2JqGVELTUNdBbyBAo2jvSAF5zr3bltQxRQSbXEVD9/RQ==
Return-Path: <grant.b.edwards@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
Authentication-Results: mail.python.org; dkim=pass
reason="2048-bit key; unprotected key"
header.d=gmail.com header.i=@gmail.com header.b=EKTqQ1RB;
dkim-adsp=pass; dkim-atps=neutral
X-Spam-Status: OK 0.004
X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'is.': 0.05;
'certificates': 0.07; "client's": 0.09; 'info,': 0.09;
'subject:how': 0.09; 'trivial': 0.09; 'utility': 0.09; 'problem.':
0.15; 'that.': 0.15; '(without': 0.16; 'certificate.': 0.16;
'command.': 0.16; 'from:addr:grant.b.edwards': 0.16;
'from:name:grant edwards': 0.16; 'kumaran': 0.16; 'kushal': 0.16;
'parsing': 0.16; 'received:209.85.166.53': 0.16; 'received:mail-
io1-f53.google.com': 0.16; 'server,': 0.16; 'ssl': 0.16;
'subject:client': 0.16; 'subject:disable': 0.16; 'successful.':
0.16; 'wrote:': 0.16; 'problem': 0.16; 'grant': 0.17; "can't":
0.17; 'server.': 0.19; 'to:addr:python-list': 0.20; 'command':
0.23; 'anything': 0.25; 'seems': 0.26; 'certificate': 0.26; '>>>':
0.28; 'printed': 0.28; 'header:User-Agent:1': 0.30; 'module':
0.31; 'obtain': 0.32; 'but': 0.32; "i'm": 0.33; 'there': 0.33;
'script': 0.33; 'server': 0.33; 'received:google.com': 0.34;
'received:209.85.166': 0.35; 'from:addr:gmail.com': 0.35; 'using':
0.37; "it's": 0.37; 'received:209.85': 0.37; 'way': 0.38; 'could':
0.38; 'received:209': 0.39; 'use': 0.39; 'want': 0.40;
'connection': 0.61; 'load': 0.62; 'come': 0.62; 'simply': 0.63;
'validation': 0.64; 'your': 0.64; 'matter': 0.68; 'during': 0.69;
'obtaining': 0.69; 'permit': 0.69; 'deal': 0.73; 'relevant': 0.73;
'out.': 0.80; 'client': 0.82; 'validated': 0.91; 'worry': 0.95
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
h=message-id:date:from:subject:references:user-agent:to;
bh=bWXrgUt1dQ2SGsbVxCNq9ldqW5kjc2FG6iSZ4fNOGEk=;
b=EKTqQ1RBm3cqsMNQ6aiDVBxH8Gd42QM52c8YtqNG4z0w+fjv5dAFsI1/Iamcs7DRPw
3MPuoB5J8Vt/ZbjxAnAiL0zJtpveulJWjj+IZ9Oja4Yjztti/iPFBTL/LVxCU6VUQMLV
YmpR+/RhJ4SQ3EsI1W2DJmIL05IaItBENyy3ccEMJjKzXByJvk79vK5NU/keiNgnCeLC
IJUsqzOmLYazJkvSxQc2zr1liswytrGkk3cw7y0ffPFvGuqm+NYJ4T8Up5BMJx82+kJr
AMDMTqqV92s63pD+SeVPSnycN8cOzzdgdN0imRDrRY5jA12mLFK3U/dOr+xfY3VIGUnD
dL/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20210112;
h=x-gm-message-state:message-id:date:from:subject:references
:user-agent:to;
bh=bWXrgUt1dQ2SGsbVxCNq9ldqW5kjc2FG6iSZ4fNOGEk=;
b=hYKyZTNYQ9JvhzS0TMGG7anfIz6g8tASB/OLoaYqQyy2rj1uha0aq+cRXpoaHwXQQS
/dMG/VGdR739NuAbaggHY/D7WvEERib+/dkFavZBbSZGWsUQuaY6o1sG2mZf1bNDO1X/
jKsx5mVlFYADLPYmttUSFs0CRLcyQcU04COUnREaYufweGcuVBycQz0AYDv1kwA1bGYb
fkiNCu7jj9lybIG+n7EL2EdU6QIiIkJg30e6+LDeDTnpevElQ5y/Kw6xWkDr8oTDl6iZ
20INgmTreQora8ZOusQ4238AJpdKQoTOyksCZNyOU3cRWN9sXtzhiC0Xo+MnVTJ0dofc
H5XA==
X-Gm-Message-State: AOAM5324mQF3pKYAcVBitfsAmBdc0N2Gg7U3imPsQmBJswFEkqXAfE4I
r0qYmZGUZpm+7+PCbD6V4r0gceojOcA=
X-Google-Smtp-Source: ABdhPJwT34c2UO7jbsz7rmCbx1iUuLnQBTEZePPf+oiU5N6r84FT8fkO9vSAC5RU1k0lKAxquE9daQ==
X-Received: by 2002:a05:6638:687:: with SMTP id
i7mr221723jab.222.1643999080149;
Fri, 04 Feb 2022 10:24:40 -0800 (PST)
User-Agent: slrn/1.0.3 (Linux)
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: General discussion list for the Python programming language
<python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>,
<mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <https://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>,
<mailto:python-list-request@python.org?subject=subscribe>
X-Mailman-Original-Message-ID: <61fd6f67.1c69fb81.5db12.7425@mx.google.com>
X-Mailman-Original-References: <61fc25b4.1c69fb81.ea933.f956@mx.google.com>
<87o83nkaoy.fsf@locationd.net> <61fc49d4.1c69fb81.a405c.5b87@mx.google.com>
<87bkznqsfy.fsf@locationd.net>
 by: Grant Edwards - Fri, 4 Feb 2022 18:24 UTC

On 2022-02-04, Kushal Kumaran <kushal@locationd.net> wrote:

>> It's a troubleshooting utility for displaying a client's certificate.
>>
>>> Which kinds of client certificates do you want to permit
>>
>> All of them. Anything that's parsable as an X509 certificate no matter
>> how "invalid" it is.
>>
>
> Does `openssl x509 -in <filename> -text -noout` do what you want?

Where does <filename> come from?

>> I just don't want it validated by the SSL layer: I want to print it
>> out. That seems to be trivial to do for server certificates using
>> "openssl s_client", but I can't find any way to do it for client
>> certficates.
>
> In your place, I would simply use the openssl x509 command.

How does the x509 command obtain the certificate from the
client/server handshake?

> If I wanted more/different info, I would write a script to load the
> certificate and printed out the relevant info.

How does one "load the certificate" from the client?

> If this functionality must be provided by a server,

> I would write it so that a certificate could be POSTed to
> the server (without using client certificates),

The problem is in getting the certificate is provided by the client
during the handshake with the server. Don't worry about how to
parse/print it -- I can deal with that.

> I don't know how to use the stdlib's ssl module to do this kind of
> parsing.

I'm not asking about parsing x509 certificates. That's not the
problem.

The problem is _getting_ the client certificate that was provided
during the client/server handshake. That's trivial if the handshake
was successful. The problem is obtaining the client certificate when
the handshake fails. I was hoping there was a way to disable client
certificate validation so that the handshake will succeed and then
allow me to get the client certificate from the connection object.

--
Grant

devel / comp.lang.python / Re: ssl server: how to disable client cert verfication?

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor