On Thu, Feb 03 2022 at 01:32:04 PM, Grant Edwards <grant.b.edwa...@gmail.com> wrote: > On 2022-02-03, Kushal Kumaran <kus...@locationd.net> wrote: > >> On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards >> <grant.b.edwa...@gmail.com> wrote: >>> I've got a small ssl server app. I want to require a certificate from >>> the client, so I'm using a context with >>> >>> context.verify_mode = ssl.CERT_REQUIRED >>> >>> But, I want all certificates accepted. How do I disable client >>> certificate verification? >>> >> >> Perhaps you can explain what your goal is. > > It's a troubleshooting utility for displaying a client's certificate. > >> Which kinds of client certificates do you want to permit > > All of them. Anything that's parsable as an X509 certificate no matter > how "invalid" it is. >
Does `openssl x509 -in <filename> -text -noout` do what you want? >> (to the best of my knowledge, none of these can be actually allowed): >> >> - expired certificates >> - self-signed certificates >> - certificates signed by untrusted CA >> - completely garbage certificates (bad signature, etc.) >> >> I don't see what benefit you expect from requiring client >> certificates if you don't care what the certificate says. > > I do care what it says. The whole point is to find out what it says. > > I just don't want it validated by the SSL layer: I want to print it > out. That seems to be trivial to do for server certificates using > "openssl s_client", but I can't find any way to do it for client > certficates. > In your place, I would simply use the openssl x509 command. If I wanted more/different info, I would write a script to load the certificate and printed out the relevant info. If this functionality must be provided by a server, I would write it so that a certificate could be POSTed to the server (without using client certificates), and it would in turn do the parsing equivalent to what the standalone script would do and respond with the relevant info. (But I hear X.509 parsing is an esoteric mess, and it's unclear to me what demons lie in the area of parsing untrusted X.509 content). I don't know how to use the stdlib's ssl module to do this kind of parsing. The cryptography package makes this simple though: https://cryptography.io/en/latest/x509/reference/#loading-certificates >> Why not simply set verify_mode to SSL_NONE and use other >> authentication mechanisms? > > I'm not interested in doing any authentication. > > I just want to require that the client provide a certificate and then > print it out using print(connection.getpeercert()) > -- regards, kushal -- https://mail.python.org/mailman/listinfo/python-list
