New submission from Adrian Freund <g...@freundtech.com>:
Some networked applications might require connecting to client with invalid certificates but still requiring the client to send a certificate. ssl.SSLContext.verify_mode currently supports the following options: ssl.CERT_NONE: Don't require the client to send a certificate and don't validate it if they send one anyways. ssl.CERT_OPTIONAL: Don't require the client to send a certificate but validate it if they send one. ssl.CERT_REQUIRED: Require the client to send a certificate and validate it. There is currently no option for servers that want to require the client to send a certificate but don't validate it. This would for example be needed it a server should accept clients with self-signed certificates and then store their certificates to recognize them again later. A concrete example is the KDEConnect protocol. An alternative solution would be bpo-31242. That would also solve this problem is a more general, but also more complicated way. I think that the solution proposed here this issue is better for it's simplicity and also solves most usecases for bpo-31242. Note that a ssl.CERT_REQUIRED_NO_VERIFY was already proposed in bpo-18293, but that issue was closed because it was specifically in relation to a deprecated api. The mentioned values are however also used in modern asyncio apis. ---------- assignee: christian.heimes components: SSL messages: 413416 nosy: christian.heimes, freundTech priority: normal severity: normal status: open title: Add ssl.CERT_REQUIRED_NO_VERIFY as possible value for ssl.SSLContext.verify_mode type: enhancement versions: Python 3.11 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue46779> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
