Message301970
From #31431, the documentation of CERT_OPTIONAL and CERT_REQUIRED are misleading. For client side sockets, CERT_OPTIONAL does **NOT** mean that no certificates will be required from the other side of the socket connection. The server **must** provide a cert and the client **requires** the cert to be valid and trusted by trusted CA.
Internally, the _ssl.c extension module sets:
CERT_NONE: SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb)
CERT_OPTIONAL: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb)
CERT_REQUIRED: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)
According to https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ignored in client mode.
This means for client-side sockets:
CERT_NONE: server must provide any cert, verification error does not prevent handshake
CERT_OPTIONAL == CERT_REQUIRED
CERT_REQUIRED: server must provide a correct certificate that is trusted by a root CA in the trust store of the client
For server-side sockets:
CERT_NONE: Don't ask client for a TLS client auth cert
CERT_OPTIONAL: Ask client for a TLS client auth cert, don't fail if the client does not provide one. IIRC the cert must validate and be trusted by a CA in the trust store of the server (TODO: verify this)
CERT_REQUIRED: Ask client for TLS client auth cert, fail if client does not provide a certificate during the handshake. |
|
Date |
User |
Action |
Args |
2017-09-12 16:08:39 | christian.heimes | set | recipients:
+ christian.heimes, docs@python |
2017-09-12 16:08:39 | christian.heimes | set | messageid: <1505232519.67.0.963615295738.issue31432@psf.upfronthosting.co.za> |
2017-09-12 16:08:39 | christian.heimes | link | issue31432 messages |
2017-09-12 16:08:39 | christian.heimes | create | |
|