> On 3 Feb 2022, at 21:34, Grant Edwards <grant.b.edwa...@gmail.com> wrote: > > On 2022-02-03, Kushal Kumaran <kus...@locationd.net> wrote: > >>> On Thu, Feb 03 2022 at 10:57:56 AM, Grant Edwards >>> <grant.b.edwa...@gmail.com> wrote: >>> I've got a small ssl server app. I want to require a certificate from >>> the client, so I'm using a context with >>> >>> context.verify_mode = ssl.CERT_REQUIRED >>> >>> But, I want all certificates accepted. How do I disable client >>> certificate verification? >>> >> >> Perhaps you can explain what your goal is. > > It's a troubleshooting utility for displaying a client's certificate. > >> Which kinds of client certificates do you want to permit > > All of them. Anything that's parsable as an X509 certificate no matter > how "invalid" it is. > >> (to the best of my knowledge, none of these can be actually allowed): >> >> - expired certificates >> - self-signed certificates >> - certificates signed by untrusted CA >> - completely garbage certificates (bad signature, etc.) >> >> I don't see what benefit you expect from requiring client >> certificates if you don't care what the certificate says. > > I do care what it says. The whole point is to find out what it says. > > I just don't want it validated by the SSL layer: I want to print it > out. That seems to be trivial to do for server certificates using > "openssl s_client", but I can't find any way to do it for client > certficates. > >> Why not simply set verify_mode to SSL_NONE and use other >> authentication mechanisms? > > I'm not interested in doing any authentication. > > I just want to require that the client provide a certificate and then > print it out using print(connection.getpeercert())
I am not near the pc with the code on. But in outline you provide a ssl context that returns true for the validation of the cert always. You also get to have x509 cert in your hands. I use pyopenssl to play with x.509 certs. Let me know if this is not enough info and I will dig out the code I have that does this custom cert stuff. Barry > > -- > Grant > > > -- > https://mail.python.org/mailman/listinfo/python-list > -- https://mail.python.org/mailman/listinfo/python-list
