On Tue, Dec 10, 2013 at 9:41 AM, Phil Mayers <p.may...@imperial.ac.uk>wrote:
> Unless you set the appropriate verify options on the server side too, the
> client cert isn't available for inspection.
>
A-ha! But I want to do TOFU-POP; the certs are generated by the client, and
there's little point in me signing them (I don't need to be able to verify
that I ever signed them somewhere else).
The context factory I got from PrivateCertificate.options() doesn't seem to
do what I want, so I wrote my own SSL ContextFactory like it's 1999; I used
VERIFY_PEER with a callback that always claims it validated:
class ContextFactory(object):
def getContext(self):
ctx = Context(TLSv1_METHOD)
ctx.use_certificate_file("cert.pem")
ctx.use_privatekey_file("key.pem")
ctx.set_verify(VERIFY_PEER, _verify)
return ctx
def _verify(connection, x509, errorNumber, errorDepth, returnCode):
"""Always pretend the certificate verified.
"""
return True
Does that sound about right, or is there an easier way to do this? (Yeah,
yeah, don't hardcode paths etc :))
cheers
lvh
_______________________________________________
Twisted-Python mailing list
Twisted-Python@twistedmatrix.com
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
