
This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.
Created on2017-09-12 16:08 bychristian.heimes, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.
| Pull Requests | |||
|---|---|---|---|
| URL | Status | Linked | Edit |
| PR 3530 | merged | christian.heimes,2017-09-13 05:13 | |
| PR 7649 | merged | miss-islington,2018-06-11 23:00 | |
| PR 7650 | merged | ned.deily,2018-06-12 00:08 | |
| PR 7651 | merged | miss-islington,2018-06-12 00:27 | |
| PR 7652 | merged | ned.deily,2018-06-12 01:15 | |
| Messages (8) | |||
|---|---|---|---|
| msg301970 -(view) | Author: Christian Heimes (christian.heimes)*![]() | Date: 2017-09-12 16:08 | |
From#31431, the documentation of CERT_OPTIONAL and CERT_REQUIRED are misleading. For client side sockets, CERT_OPTIONAL does **NOT** mean that no certificates will be required from the other side of the socket connection. The server **must** provide a cert and the client **requires** the cert to be valid and trusted by trusted CA. Internally, the _ssl.c extension module sets:CERT_NONE: SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb)CERT_OPTIONAL: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb)CERT_REQUIRED: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb)According tohttps://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ignored in client mode.This means for client-side sockets:CERT_NONE: server must provide any cert, verification error does not prevent handshakeCERT_OPTIONAL == CERT_REQUIREDCERT_REQUIRED: server must provide a correct certificate that is trusted by a root CA in the trust store of the clientFor server-side sockets:CERT_NONE: Don't ask client for a TLS client auth certCERT_OPTIONAL: Ask client for a TLS client auth cert, don't fail if the client does not provide one. IIRC the cert must validate and be trusted by a CA in the trust store of the server (TODO: verify this)CERT_REQUIRED: Ask client for TLS client auth cert, fail if client does not provide a certificate during the handshake. | |||
| msg301976 -(view) | Author: Christian Heimes (christian.heimes)*![]() | Date: 2017-09-12 16:41 | |
PS: OpenSSL still validates the chain when SSL_VERIFY_NONE is set. In that mode OpenSSL just does not abort the handshake when an error occurs. OpenSSL keeps the last verification error around, see#31372. | |||
| msg319350 -(view) | Author: Ned Deily (ned.deily)*![]() | Date: 2018-06-11 22:59 | |
New changesetef24b6c54d40e7820456873a6eab6ef57d2bd0db by Ned Deily (Christian Heimes) in branch 'master':bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530)https://github.com/python/cpython/commit/ef24b6c54d40e7820456873a6eab6ef57d2bd0db | |||
| msg319351 -(view) | Author: Ned Deily (ned.deily)*![]() | Date: 2018-06-11 23:20 | |
New changeseta5db479ac4cdcc0d94ec1d7a594720a651d90433 by Ned Deily (Miss Islington (bot)) in branch '3.7':bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530) (GH-7649)https://github.com/python/cpython/commit/a5db479ac4cdcc0d94ec1d7a594720a651d90433 | |||
| msg319352 -(view) | Author: Ned Deily (ned.deily)*![]() | Date: 2018-06-12 00:26 | |
New changeset4531ec74c4a9c8e15ee2bdec11b12796ce000f6f by Ned Deily in branch 'master':bpo-31432: Revert unrelated code changes to _ssl.c and test_ssl (GH-7650)https://github.com/python/cpython/commit/4531ec74c4a9c8e15ee2bdec11b12796ce000f6f | |||
| msg319355 -(view) | Author: Ned Deily (ned.deily)*![]() | Date: 2018-06-12 00:58 | |
New changeset42198571c586e0dc56836b79329f94952b1975bb by Ned Deily (Miss Islington (bot)) in branch '3.7':bpo-31432: Revert unrelated code changes to _ssl.c and test_ssl (GH-7650) (GH-7651)https://github.com/python/cpython/commit/42198571c586e0dc56836b79329f94952b1975bb | |||
| msg319356 -(view) | Author: Ned Deily (ned.deily)*![]() | Date: 2018-06-12 01:45 | |
New changesete25757408dc22561af9f9589c2c7e2a2fbb66ee4 by Ned Deily in branch '3.6':bpo-31432: Clarify ssl CERT_NONE/OPTIONAL/REQUIRED docs. (GH-3530) (GH-7652)https://github.com/python/cpython/commit/e25757408dc22561af9f9589c2c7e2a2fbb66ee4 | |||
| msg378272 -(view) | Author: Irit Katriel (iritkatriel)*![]() | Date: 2020-10-08 18:51 | |
This seems complete, can it be closed? | |||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:52 | admin | set | github: 75613 |
| 2020-10-21 16:30:55 | christian.heimes | set | status: open -> closed resolution: fixed stage: patch review -> resolved |
| 2020-10-08 18:51:56 | iritkatriel | set | nosy: +iritkatriel messages: +msg378272 |
| 2018-06-12 01:45:03 | ned.deily | set | messages: +msg319356 |
| 2018-06-12 01:15:08 | ned.deily | set | pull_requests: +pull_request7271 |
| 2018-06-12 00:58:12 | ned.deily | set | messages: +msg319355 |
| 2018-06-12 00:27:47 | miss-islington | set | pull_requests: +pull_request7270 |
| 2018-06-12 00:26:34 | ned.deily | set | messages: +msg319352 |
| 2018-06-12 00:08:29 | ned.deily | set | pull_requests: +pull_request7269 |
| 2018-06-11 23:20:27 | ned.deily | set | messages: +msg319351 |
| 2018-06-11 23:00:09 | miss-islington | set | pull_requests: +pull_request7268 |
| 2018-06-11 22:59:48 | ned.deily | set | nosy: +ned.deily messages: +msg319350 |
| 2017-09-13 05:13:38 | christian.heimes | set | keywords: +patch stage: patch review pull_requests: +pull_request3527 |
| 2017-09-12 16:41:44 | christian.heimes | set | messages: +msg301976 |
| 2017-09-12 16:08:56 | christian.heimes | set | nosy: +janssen,alex,dstufft |
| 2017-09-12 16:08:39 | christian.heimes | create | |