[docs] [issue31432] Documention for CERT_OPTIONAL is misleading

Christian Heimes report at bugs.python.org
Tue Sep 12 12:08:39 EDT 2017

New submission from Christian Heimes:

>From #31431, the documentation of CERT_OPTIONAL and CERT_REQUIRED are misleading. For client side sockets, CERT_OPTIONAL does **NOT** mean that no certificates will be required from the other side of the socket connection. The server **must** provide a cert and the client **requires** the cert to be valid and trusted by trusted CA. 

Internally, the _ssl.c extension module sets:

CERT_NONE: SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb)
CERT_OPTIONAL: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb)

According to https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ignored in client mode.

This means for client-side sockets:

CERT_NONE: server must provide any cert, verification error does not prevent handshake
CERT_REQUIRED: server must provide a correct certificate that is trusted by a root CA in the trust store of the client

For server-side sockets:

CERT_NONE: Don't ask client for a TLS client auth cert
CERT_OPTIONAL: Ask client for a TLS client auth cert, don't fail if the client does not provide one. IIRC the cert must validate and be trusted by a CA in the trust store of the server (TODO: verify this)
CERT_REQUIRED: Ask client for TLS client auth cert, fail if client does not provide a certificate during the handshake.

assignee: docs at python
components: Documentation, SSL
messages: 301970
nosy: christian.heimes, docs at python
priority: normal
severity: normal
status: open
title: Documention for CERT_OPTIONAL is misleading
type: behavior
versions: Python 2.7, Python 3.6, Python 3.7

Python tracker <report at bugs.python.org>

More information about the docs mailing list