ssl server: how to disable client cert verfication?
Grant Edwards
grant.b.edwards at gmail.com
Fri Feb 4 13:24:39 EST 2022
On 2022-02-04, Kushal Kumaran <kushal at locationd.net> wrote:
>> It's a troubleshooting utility for displaying a client's certificate.
>>
>>> Which kinds of client certificates do you want to permit
>>
>> All of them. Anything that's parsable as an X509 certificate no matter
>> how "invalid" it is.
>>
>
> Does `openssl x509 -in <filename> -text -noout` do what you want?
Where does <filename> come from?
>> I just don't want it validated by the SSL layer: I want to print it
>> out. That seems to be trivial to do for server certificates using
>> "openssl s_client", but I can't find any way to do it for client
>> certficates.
>
> In your place, I would simply use the openssl x509 command.
How does the x509 command obtain the certificate from the
client/server handshake?
> If I wanted more/different info, I would write a script to load the
> certificate and printed out the relevant info.
How does one "load the certificate" from the client?
> If this functionality must be provided by a server,
> I would write it so that a certificate could be POSTed to
> the server (without using client certificates),
The problem is in getting the certificate is provided by the client
during the handshake with the server. Don't worry about how to
parse/print it -- I can deal with that.
> I don't know how to use the stdlib's ssl module to do this kind of
> parsing.
I'm not asking about parsing x509 certificates. That's not the
problem.
The problem is _getting_ the client certificate that was provided
during the client/server handshake. That's trivial if the handshake
was successful. The problem is obtaining the client certificate when
the handshake fails. I was hoping there was a way to disable client
certificate validation so that the handshake will succeed and then
allow me to get the client certificate from the connection object.
--
Grant
More information about the Python-list
mailing list