Ticket #2061 defect closed fixed
_sslverify.py: Wrong use of param caCerts in OpenSSLCertificateOptions
|Reported by:||dq||Owned by:||exarkun|
|Cc:||ralphm, thijs, zooko@…, davidsarah, hs@…||Branch:||branches/ssl-chain-cert-2061|
Wrong use of param caCerts in the constructor of class OpenSSLCertificateOptions in file _sslverify.py.
Two complaints, mainly referring to the documentation of caCers.
a) The parameter caCertsFile does not exist.
b) These certificates are NOT SENT to the client, but used server-side to check correctness when receiving a client certificate.
The documented functionality would actually be provided when calling the pyOpenSSL exposed method ctx.load_client_ca(pemfile), which implements the code fragment from the following quote:
Quoting from the openssl documentation (openssl-0.9.8c/CHANGES.SSLeay)
If you want to use client certificates then you have to add in a bit of extra stuff in that a SSLv3 server sends a list of those CAs that it will accept certificates from ... so you have to provide a list to SSLeay otherwise certain browsers will not send client certs.