Author rfinnie
Recipients christian.heimes, rfinnie
Date 2017-08-20.21:49:16
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1503265756.53.0.967490588927.issue31242@psf.upfronthosting.co.za>
In-reply-to
Content
At the moment, SSLContext.verify_mode() allows for three modes when dealing with Purpose.CLIENT_AUTH / server_side=True:

- CERT_NONE (server does not request client certificate, client does not provide it)
- CERT_OPTIONAL (server requests client certificate, raises SSLError if provided but fails verification, continues if not provided)
- CERT_REQUIRED (server requests client certificate, raises SSLError if provided but fails verification, raises SSLError if not provided)

There is currently no way to request a client certificate and manually verify it (or ignore it) if it doesn't pass OpenSSL verification.  OpenSSL provides SSL_CTX_set_cert_verify_callback for using a custom callback[0], but this is not exposed in Python.

It would be nice to have a set_verify_callback() method, similar to how set_servername_callback() does it for SSL_CTX_set_tlsext_servername_callback.

[0] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html
History
Date User Action Args
2017-08-20 21:49:16rfinniesetrecipients: + rfinnie, christian.heimes
2017-08-20 21:49:16rfinniesetmessageid: <1503265756.53.0.967490588927.issue31242@psf.upfronthosting.co.za>
2017-08-20 21:49:16rfinnielinkissue31242 messages
2017-08-20 21:49:16rfinniecreate