At the moment, SSLContext.verify_mode() allows for three modes when dealing with Purpose.CLIENT_AUTH / server_side=True:

- CERT_NONE (server does not request client certificate, client does not provide it)
- CERT_OPTIONAL (server requests client certificate, raises SSLError if provided but fails verification, continues if not provided)
- CERT_REQUIRED (server requests client certificate, raises SSLError if provided but fails verification, raises SSLError if not provided)

There is currently no way to request a client certificate and manually verify it (or ignore it) if it doesn't pass OpenSSL verification.  OpenSSL provides SSL_CTX_set_cert_verify_callback for using a custom callback[0], but this is not exposed in Python.

It would be nice to have a set_verify_callback() method, similar to how set_servername_callback() does it for SSL_CTX_set_tlsext_servername_callback.

[0] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html

Very much needing this!

My situation is a mutli-tenant asynchio-based server whereby each tenant is able to configure other clients that can connect.  The current strategy requires all certs to be known up-front that, for now, necessitates a painful restart whenever new auth for a client-certificate is configured.

I also need this feature for something I'm working on, so I looked into it a bit and pushed a small proof of concept implementation to GitHub (See PR 31391).

I'm not sure if I'll have enough time to finish and clean up this implementation, but at least there is a starting point.

I also opened bpo-46779 as a simpler method to solve most of the usecases  that would be solved by this api.

Unfortunately a generic and future-proof verify callback is much more work. We need to expose and wrap X509_STORE_CTX, X509_STORE, X509 (include STACK_OF(X509)), and probably several other OpenSSL structures. We also need to expose error codes.

bpo-28747 was an older ticket for implementing a callback.