New submission from Ryan Finnie: At the moment, SSLContext.verify_mode() allows for three modes when dealing with Purpose.CLIENT_AUTH / server_side=True:
- CERT_NONE (server does not request client certificate, client does not provide it) - CERT_OPTIONAL (server requests client certificate, raises SSLError if provided but fails verification, continues if not provided) - CERT_REQUIRED (server requests client certificate, raises SSLError if provided but fails verification, raises SSLError if not provided) There is currently no way to request a client certificate and manually verify it (or ignore it) if it doesn't pass OpenSSL verification. OpenSSL provides SSL_CTX_set_cert_verify_callback for using a custom callback[0], but this is not exposed in Python. It would be nice to have a set_verify_callback() method, similar to how set_servername_callback() does it for SSL_CTX_set_tlsext_servername_callback. [0] https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html ---------- assignee: christian.heimes components: SSL messages: 300607 nosy: christian.heimes, rfinnie priority: normal severity: normal status: open title: Add SSLContext.set_verify_callback() type: enhancement _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue31242> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
