> On Jul 12, 2021, at 1:05 AM, Adi Roiban <a...@roiban.ro> wrote: > > On Mon, 12 Jul 2021 at 08:09, Ian Haywood <i...@haywood.id.au > <mailto:i...@haywood.id.au>> wrote: > I am trying to work out how to retrieve on the server a X.509 > certificate presented by the HTTPS client. This code tries to tell me > the transport has no peer certificate. > > same error when I use wget as a client so I think my problem is in the > server code. I'm using self-signed certificates > > Any clues as to what I'm doing wrong? > > Ian > > > As commented by Glyph you will first need to setup one or a list of accepted > CAs. > > Then setup custom server-side context. > > Add the CA via > https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.load_verify_locations > > <https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.load_verify_locations> > > This is done via > https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_verify > > <https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_verify> > to define a path or dir > or implement a custom one via > https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.get_cert_store > > <https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.get_cert_store>
FWIW I would avoid calling the pyOpenSSL APIs for this, since hopefully we'll manage to move away from OpenSSL and at least somewhat abstract away the transition. These map to the 'caCerts' and 'verify=True' arguments to CertificateOptions, if you need more flexibility than the tutorial documentation that I linked previously: https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html <https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html> > Without set_verify, during the TLS/SSL handshake the server will not ask the > client to send its own certificate. > > --------- > > I am using X509 authentication as a passwordless authentication for > automated transfers, similar to the SSH key authentication. > > The x509 certificate authentication is used by the Spanish government across > many of their services. > Taxes, customs, health service ... > > -- > Adi Roiban > _______________________________________________ > Twisted-Python mailing list > Twisted-Python@twistedmatrix.com > https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
