On 2022-02-03, Kushal Kumaran <kus...@locationd.net> wrote: > On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards <grant.b.edwa...@gmail.com> > wrote: >> I've got a small ssl server app. I want to require a certificate from >> the client, so I'm using a context with >> >> context.verify_mode = ssl.CERT_REQUIRED >> >> But, I want all certificates accepted. How do I disable client >> certificate verification? >> > > Perhaps you can explain what your goal is.
It's a troubleshooting utility for displaying a client's certificate. > Which kinds of client certificates do you want to permit All of them. Anything that's parsable as an X509 certificate no matter how "invalid" it is. > (to the best of my knowledge, none of these can be actually allowed): > > - expired certificates > - self-signed certificates > - certificates signed by untrusted CA > - completely garbage certificates (bad signature, etc.) > > I don't see what benefit you expect from requiring client > certificates if you don't care what the certificate says. I do care what it says. The whole point is to find out what it says. I just don't want it validated by the SSL layer: I want to print it out. That seems to be trivial to do for server certificates using "openssl s_client", but I can't find any way to do it for client certficates. > Why not simply set verify_mode to SSL_NONE and use other > authentication mechanisms? I'm not interested in doing any authentication. I just want to require that the client provide a certificate and then print it out using print(connection.getpeercert()) -- Grant -- https://mail.python.org/mailman/listinfo/python-list
