[Twisted-Python] twisted.web HTTPS client certificate

Glyph glyph at twistedmatrix.com
Mon Jul 12 02:27:19 MDT 2021 


> On Jul 12, 2021, at 1:05 AM, Adi Roiban <adi at roiban.ro> wrote:
> 
> On Mon, 12 Jul 2021 at 08:09, Ian Haywood <ian at haywood.id.au <mailto:ian at haywood.id.au>> wrote:
> I am trying to work out how to retrieve on the server a X.509 
> certificate presented by the HTTPS client.  This code tries to tell me 
> the transport has no peer certificate.
> 
> same error when I use wget as a client so I think my problem is in the 
> server code. I'm using self-signed certificates
> 
> Any clues as to what I'm doing wrong?
> 
> Ian
> 
> 
> As commented by Glyph you will first need  to setup one or a list of accepted CAs.
> 
> Then setup custom server-side context.
> 
> Add the CA via https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.load_verify_locations <https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.load_verify_locations>
> 
> This is done via https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_verify <https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.set_verify> to define a path or dir
> or implement a custom one via https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.get_cert_store <https://www.pyopenssl.org/en/stable/api/ssl.html#OpenSSL.SSL.Context.get_cert_store>

FWIW I would avoid calling the pyOpenSSL APIs for this, since hopefully we'll manage to move away from OpenSSL and at least somewhat abstract away the transition.  These map to the 'caCerts' and 'verify=True' arguments to CertificateOptions, if you need more flexibility than the tutorial documentation that I linked previously: https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html <https://twistedmatrix.com/documents/20.3.0/api/twisted.internet.ssl.CertificateOptions.html>
> Without set_verify, during the TLS/SSL handshake the server will not ask the client to send its own certificate.
> 
> ---------
>  
> I am using X509 authentication as a  passwordless authentication for automated transfers, similar to the SSH key authentication.
> 
> The x509 certificate authentication is used by the Spanish government across many of their services.
> Taxes, customs, health service ...
> 
> -- 
> Adi Roiban
> _______________________________________________
> Twisted-Python mailing list
> Twisted-Python at twistedmatrix.com
> https://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20210712/13ce705a/attachment-0001.htm>

More information about the Twisted-Python mailing list