[issue31432] Documention for CERT_OPTIONAL is misleading
New submission from Christian Heimes:
From #31431, the documentation of CERT_OPTIONAL and CERT_REQUIRED are misleading. For client side sockets, CERT_OPTIONAL does **NOT** mean that no certificates will be required from the other side of the socket connection. The server **must** provide a cert and the client **requires** the cert to be valid and trusted by trusted CA.
Internally, the _ssl.c extension module sets: CERT_NONE: SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb) CERT_OPTIONAL: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb) CERT_REQUIRED: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) According to https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ignored in client mode. This means for client-side sockets: CERT_NONE: server must provide any cert, verification error does not prevent handshake CERT_OPTIONAL == CERT_REQUIRED CERT_REQUIRED: server must provide a correct certificate that is trusted by a root CA in the trust store of the client For server-side sockets: CERT_NONE: Don't ask client for a TLS client auth cert CERT_OPTIONAL: Ask client for a TLS client auth cert, don't fail if the client does not provide one. IIRC the cert must validate and be trusted by a CA in the trust store of the server (TODO: verify this) CERT_REQUIRED: Ask client for TLS client auth cert, fail if client does not provide a certificate during the handshake. ---------- assignee: docs@python components: Documentation, SSL messages: 301970 nosy: christian.heimes, docs@python priority: normal severity: normal status: open title: Documention for CERT_OPTIONAL is misleading type: behavior versions: Python 2.7, Python 3.6, Python 3.7 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Changes by Christian Heimes <lists@cheimes.de>: ---------- nosy: +alex, dstufft, janssen _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Christian Heimes added the comment: PS: OpenSSL still validates the chain when SSL_VERIFY_NONE is set. In that mode OpenSSL just does not abort the handshake when an error occurs. OpenSSL keeps the last verification error around, see #31372. ---------- _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Changes by Christian Heimes <lists@cheimes.de>: ---------- keywords: +patch pull_requests: +3527 stage: -> patch review _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Ned Deily <nad@python.org> added the comment: New changeset ef24b6c54d40e7820456873a6eab6ef57d2bd0db by Ned Deily (Christian Heimes) in branch 'master': bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530) https://github.com/python/cpython/commit/ef24b6c54d40e7820456873a6eab6ef57d2... ---------- nosy: +ned.deily _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Change by miss-islington <mariatta.wijaya+miss-islington@gmail.com>: ---------- pull_requests: +7268 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Ned Deily <nad@python.org> added the comment: New changeset a5db479ac4cdcc0d94ec1d7a594720a651d90433 by Ned Deily (Miss Islington (bot)) in branch '3.7': bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530) (GH-7649) https://github.com/python/cpython/commit/a5db479ac4cdcc0d94ec1d7a594720a651d... ---------- _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Change by Ned Deily <nad@python.org>: ---------- pull_requests: +7269 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Ned Deily <nad@python.org> added the comment: New changeset 4531ec74c4a9c8e15ee2bdec11b12796ce000f6f by Ned Deily in branch 'master': bpo-31432: Revert unrelated code changes to _ssl.c and test_ssl (GH-7650) https://github.com/python/cpython/commit/4531ec74c4a9c8e15ee2bdec11b12796ce0... ---------- _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Change by miss-islington <mariatta.wijaya+miss-islington@gmail.com>: ---------- pull_requests: +7270 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Ned Deily <nad@python.org> added the comment: New changeset 42198571c586e0dc56836b79329f94952b1975bb by Ned Deily (Miss Islington (bot)) in branch '3.7': bpo-31432: Revert unrelated code changes to _ssl.c and test_ssl (GH-7650) (GH-7651) https://github.com/python/cpython/commit/42198571c586e0dc56836b79329f94952b1... ---------- _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Change by Ned Deily <nad@python.org>: ---------- pull_requests: +7271 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Ned Deily <nad@python.org> added the comment: New changeset e25757408dc22561af9f9589c2c7e2a2fbb66ee4 by Ned Deily in branch '3.6': bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530) (GH-7652) https://github.com/python/cpython/commit/e25757408dc22561af9f9589c2c7e2a2fbb... ---------- _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Irit Katriel <iritkatriel@yahoo.com> added the comment: This seems complete, can it be closed? ---------- nosy: +iritkatriel _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
Change by Christian Heimes <lists@cheimes.de>: ---------- resolution: -> fixed stage: patch review -> resolved status: open -> closed _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________
participants (4)
-
Christian Heimes -
Irit Katriel
-
miss-islington
-
Ned Deily