classification
Title: Add SSLContext.set_verify_callback()
Type: enhancement Stage: needs patch
Components: SSL Versions: Python 3.8
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: David Peall, christian.heimes, rfinnie
Priority: normal Keywords:

Created on 2017-08-20 21:49 by rfinnie, last changed 2018-11-07 09:07 by David Peall.

Messages (1)
msg300607 - (view) Author: Ryan Finnie (rfinnie) Date: 2017-08-20 21:49
At the moment, SSLContext.verify_mode() allows for three modes when dealing with Purpose.CLIENT_AUTH / server_side=True:

- CERT_NONE (server does not request client certificate, client does not provide it)
- CERT_OPTIONAL (server requests client certificate, raises SSLError if provided but fails verification, continues if not provided)
- CERT_REQUIRED (server requests client certificate, raises SSLError if provided but fails verification, raises SSLError if not provided)

There is currently no way to request a client certificate and manually verify it (or ignore it) if it doesn't pass OpenSSL verification.  OpenSSL provides SSL_CTX_set_cert_verify_callback for using a custom callback[0], but this is not exposed in Python.

It would be nice to have a set_verify_callback() method, similar to how set_servername_callback() does it for SSL_CTX_set_tlsext_servername_callback.

[0] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html
History
Date User Action Args
2018-11-07 09:07:00David Peallsetnosy: + David Peall
2018-02-26 08:25:15christian.heimessetstage: needs patch
versions: + Python 3.8
2017-08-20 21:49:16rfinniecreate