This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: SSL server requesting client certificates should send CA list
Type: behavior Stage: needs patch
Components: SSL Versions: Python 3.7
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: alex, christian.heimes, dstufft, janssen, kchen
Priority: normal Keywords:

Created on 2016-11-11 23:30 by kchen, last changed 2022-04-11 14:58 by admin.

Messages (2)
msg280620 - (view) Author: Kevin Chen (kchen) Date: 2016-11-11 23:30
When a Python HTTPS server requests client certificates, it should send a CA list so the client knows which certificates are acceptable.

It looks like right now Python calls SSL_CTX_load_verify_locations, so once the client certificate is sent, Python can verify whether the client against the specify CAs.  However, it looks like Python should also call SSL_CTX_set_client_CA_list so the client knows which certificates to send.
msg301503 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2017-09-06 19:41
It sounds like a sensible request.

Documentation links:

https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_client_CA_list(3)
https://wiki.openssl.org/index.php/Manual:SSL_load_client_CA_file(3)
History
Date User Action Args
2022-04-11 14:58:39adminsetgithub: 72857
2017-09-06 19:41:48christian.heimessetassignee: christian.heimes ->
stage: needs patch
versions: + Python 3.7
2017-09-06 19:41:37christian.heimessetnosy: + janssen, alex, dstufft
messages: + msg301503
2016-11-11 23:30:24kchencreate