Add support for TLS client certificates #5
No reviewers
Labels
No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: solderpunk/AV-98#5
Loading…
Reference in New Issue
No description provided.
Delete Branch "michael-lazar/AV-98:client_certificates"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Hi!
I'm working on a new gemini site that uses TLS client certificates for user accounts. I'm specifically interested in supporting verified client certificates (not the self-signed, transient ones). To the best of my knowledge, none of the existing gemini clients support this feature yet.
This PR allows specifying an optional client certificate and keyfile that will be added to the python SSL context. I moved the SSL context to global scope to avoid needing to re-load the certs with each request. I also fixed a separate bug that I saw with setting the TLS version options using
|
instead of|=
You can test this using the client certificate and key that I have generated here:
Against mozz.us, which requires a verified client certificate:
Against conman.org, which will accept any client certificate:
Thanks for this! I eventually plan to make AV-98 depend upon a dedicate TLS library, since Python's stdlib support for even slightly unusual TLS arrangements is very poor - at that point, I will add proper support for client certificates in a more convenient way, including generating the transient certificates in the spec. But this patch is obviously a very sensible temporary solution to let people start experimenting with client certificates immediately, so I'm happy to have it! Thanks again.