Message300607
At the moment, SSLContext.verify_mode() allows for three modes when dealing with Purpose.CLIENT_AUTH / server_side=True:
- CERT_NONE (server does not request client certificate, client does not provide it)
- CERT_OPTIONAL (server requests client certificate, raises SSLError if provided but fails verification, continues if not provided)
- CERT_REQUIRED (server requests client certificate, raises SSLError if provided but fails verification, raises SSLError if not provided)
There is currently no way to request a client certificate and manually verify it (or ignore it) if it doesn't pass OpenSSL verification. OpenSSL provides SSL_CTX_set_cert_verify_callback for using a custom callback[0], but this is not exposed in Python.
It would be nice to have a set_verify_callback() method, similar to how set_servername_callback() does it for SSL_CTX_set_tlsext_servername_callback.
[0] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html |
|
Date |
User |
Action |
Args |
2017-08-20 21:49:16 | rfinnie | set | recipients:
+ rfinnie, christian.heimes |
2017-08-20 21:49:16 | rfinnie | set | messageid: <1503265756.53.0.967490588927.issue31242@psf.upfronthosting.co.za> |
2017-08-20 21:49:16 | rfinnie | link | issue31242 messages |
2017-08-20 21:49:16 | rfinnie | create | |
|