0

I've been trying to find a way to send a list of acceptable CAs to the browser from a Python webserver so that the browser presents to the user a choice of relevant certs only. This seems to work automagically when I use haproxy (it seems to infer these from the CA bundle) but a Python server using a socket wrapped in ssl.SSLContext does not seem to do so. That makes the browsers let the user choose from all available client certificates, even those that are clearly not in the CA bundle loaded on the server and have no chance of successful TLS negotiation. I only found a function for that in in pyOpenSSL: https://pyopenssl.org/en/stable/api/ssl.html?highlight=acceptable_CA#OpenSSL.SSL.Context.set_client_ca_list. However, I could not find a relevant function in Python built-in ssl library, even though it's a standard openssl feature. Am I missing something?

SzJ
  • 1
  • For Python Requests module, this might be of help: https://stackoverflow.com/questions/42982143/python-requests-how-to-use-system-ca-certificates-debian-ubuntu – Marc Sances Aug 24 '20 at 17:30
  • "even though it's a standard openssl feature. " not everything exposed at the low level by the library is available through Python `ssl` module. Hence why `PyOpenSSL` exists, which expose more, but still not all, parts of the library. – Patrick Mevzek Aug 24 '20 at 17:40
  • Mark, nah, it's not even remotely related (other than concerning SSL in general). We're talking server-side here, Requests is a HTTP(s) client library to my knowledge. – SzJ Aug 24 '20 at 17:43
  • I''m aware of that Patrick, I just have a server built using aiohttp and sockets are wrapped in the standard ssl library as shown in their docs. All works fine but that little feature and I thought I may ask here my first post since I couldn't find a solution for that tandem. – SzJ Aug 24 '20 at 17:47

1 Answers1

0

You can see the tests that this (get_client_ca_list) works in pyOpenSSL

https://github.com/svpcom/pyopenssl-pypy/blob/52116e1613826c2544895c418f6258acf1de4ff9/OpenSSL/test/test_ssl.py#L1585

conn.get_client_ca_list() is a binding directly to the C function OpenSSL.SSL.Context.set_client_ca_list. you refer to

That answers the direct question asked, however a complete solution to what appears to be your setup (i.e. using requests and retrieving the list of CA subjects), you can combine the above with a 'connection inspector' for requests. I.e. If you are interacting with the server (in client context) using requests, it is possible to get a handle for conn using this solution

Is it possible to identify TLS info. in requests response?

The pyOpenSSL code to do it is explained here https://stackoverflow.com/a/69444406/1490061

Stof
  • 610
  • 7
  • 16