Adding support for client certificate verification in SSLAdapter (patch included)
See original GitHub issueOriginally reported by: Anonymous
Enhancement
Adding support for client SSL certificate verification to wsgiserver’s SSLAdapter
Reason
SSL support is critical for modern webservers to provide secure services to users. However, there are times when applications running behind the webservers need to determine which clients are actually communicating them. While HTTP basic_auth can provide authentication, SSL provides another means to verify client identity: client certification verification.
Similar to the server providing its SSL certificate, when client verification is in use, clients must provide a certificate signed by a CA that the server recognizes in order for the client to be allowed to connect.
Changes
This patch adds another optional keyword argument to the SSLAdapter __init__()
called
‘‘client_CA’’. ‘‘client_CA’’ is a string that contains a path to a CA certificate. When client_CA
is present, the SSLAdapter knows to perform client verification using this CA. When
absent, SSLAdapter behaves as before, ie with no client verification.
Bugs/Issues
While verification is performed correctly for both the ssl_pyopenssl SSLAdapter and the ssl_builtin SSLAdapter, the different implementations provide varying levels of support for SSL client environment variables that are traditionally provided by Apache’s mod_ssl. See this page for details Mod_SSL Environment Variables.
ssl_pyopenssl currently provides ‘’‘no’‘’ client environment variables due to the fact that the
SSL handshake and thus the access to the client’s certificate occurs at first data transfer -
well after the environment variables are set by the SSLAdapter wrap()
function.
ssl_builtin provides minimal environment variables. The major limiting factor is that python’s builtin ssl routines only expose a small amount of information about the certificates, and then only for the client certificate. This problem will be difficult to fix if ssl_builtin must depend solely on python’s ssl.
Patch
See attached Diff
Reported by nmitchell@anl.gov
Issue Analytics
- State:
- Created 13 years ago
- Comments:24 (5 by maintainers)
Top GitHub Comments
I don’t think there’s much that can be done to revive the work that was attempted before. The project has since (a) consolidated wsgiserver2/3 modules and (b) extracted the wsgiserver functionality into cheroot. All of this refactoring means that the functionality that was created in those prior commits is largely unusable except as a reference.
I do see the reference to cherrypy/cheroot#52, which I believe re-implements this functionality in the newer codebase. It looks like maybe that PR was abandoned and is probably the best place to resume this activity.
@GP-S It looks like that patch has been reverted because of some issues. But it should be possible to modify
context
attribute of SSL Adapter you use upon initialization to have client verification enabled.@jaraco might know more.