New submission from Christian Heimes: >From #31431, the documentation of CERT_OPTIONAL and CERT_REQUIRED are >misleading. For client side sockets, CERT_OPTIONAL does **NOT** mean that no >certificates will be required from the other side of the socket connection. >The server **must** provide a cert and the client **requires** the cert to be >valid and trusted by trusted CA.
Internally, the _ssl.c extension module sets: CERT_NONE: SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_cb) CERT_OPTIONAL: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_cb) CERT_REQUIRED: SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb) According to https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_verify.html SSL_VERIFY_FAIL_IF_NO_PEER_CERT is ignored in client mode. This means for client-side sockets: CERT_NONE: server must provide any cert, verification error does not prevent handshake CERT_OPTIONAL == CERT_REQUIRED CERT_REQUIRED: server must provide a correct certificate that is trusted by a root CA in the trust store of the client For server-side sockets: CERT_NONE: Don't ask client for a TLS client auth cert CERT_OPTIONAL: Ask client for a TLS client auth cert, don't fail if the client does not provide one. IIRC the cert must validate and be trusted by a CA in the trust store of the server (TODO: verify this) CERT_REQUIRED: Ask client for TLS client auth cert, fail if client does not provide a certificate during the handshake. ---------- assignee: docs@python components: Documentation, SSL messages: 301970 nosy: christian.heimes, docs@python priority: normal severity: normal status: open title: Documention for CERT_OPTIONAL is misleading type: behavior versions: Python 2.7, Python 3.6, Python 3.7 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue31432> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com