Add support for TLS client certificates #5

michael-lazar · 2020-03-23T02:33:06Z

michael-lazar commented

2020-03-23 02:33:06 +00:00

Hi!

I'm working on a new gemini site that uses TLS client certificates for user accounts. I'm specifically interested in supporting verified client certificates (not the self-signed, transient ones). To the best of my knowledge, none of the existing gemini clients support this feature yet.

This PR allows specifying an optional client certificate and keyfile that will be added to the python SSL context. I moved the SSL context to global scope to avoid needing to re-load the certs with each request. I also fixed a separate bug that I saw with setting the TLS version options using | instead of |=

You can test this using the client certificate and key that I have generated here:

Against mozz.us, which requires a verified client certificate:

./av98.py --tls-cert client.crt --tls-key client.key gemini://mozz.us/cgi-bin/top-secret

Against conman.org, which will accept any client certificate:

./av98.py --tls-cert client.crt --tls-key client.key gemini://gemini.conman.org/private/

Hi! I'm working on a new gemini site that uses TLS client certificates for user accounts. I'm specifically interested in supporting verified client certificates (not the self-signed, transient ones). To the best of my knowledge, none of the existing gemini clients support this feature yet. This PR allows specifying an optional client certificate and keyfile that will be added to the python SSL context. I moved the SSL context to global scope to avoid needing to re-load the certs with each request. I also fixed a separate bug that I saw with setting the TLS version options using ``|`` instead of ``|=`` You can test this using the client certificate and key that I have generated here: - https://portal.mozz.us/gemini/mozz.us/tls/mozz_client.crt?raw=1 - https://portal.mozz.us/gemini/mozz.us/tls/mozz_client.key?raw=1 Against mozz.us, which requires a verified client certificate: ``` ./av98.py --tls-cert client.crt --tls-key client.key gemini://mozz.us/cgi-bin/top-secret ``` Against conman.org, which will accept any client certificate: ``` ./av98.py --tls-cert client.crt --tls-key client.key gemini://gemini.conman.org/private/ ```

solderpunk referenced this issue from a commit

2020-03-24 19:11:50 +00:00

Merge pull request 'Add support for TLS client certificates' (#5) from michael-lazar/AV-98:client_certificates into master

solderpunk closed this pull request

2020-03-24 19:11:51 +00:00

solderpunk commented

2020-03-24 19:13:43 +00:00

Thanks for this! I eventually plan to make AV-98 depend upon a dedicate TLS library, since Python's stdlib support for even slightly unusual TLS arrangements is very poor - at that point, I will add proper support for client certificates in a more convenient way, including generating the transient certificates in the spec. But this patch is obviously a very sensible temporary solution to let people start experimenting with client certificates immediately, so I'm happy to have it! Thanks again.

vee referenced this pull request

2020-03-28 22:49:24 +00:00

SSL Issue #6

Sign in to join this conversation.

No reviewers