Commit 2d93a6a7 authored by Apollon Oikonomopoulos's avatar Apollon Oikonomopoulos Committed by Guido Trotter
Browse files

Set list of trusted SSL CAs for client to verify

As per SSL_CTX_set_client_CA_list(3SSL), set the list of acceptable CAs
advertised to SSL clients to include the server's own certificate. This
evidently fixes the pycurl/gnutls RPC client.

During the TLS Handshake, when client verification is requested, the
Server sends a CertificateRequest message which states that the client
should send a valid certificate as a response. The CertificateRequest
message contains a section called "certificate_authorities", which,
according to the standard, is a list of the Distinguished Names (DNs) of
acceptable certification authorities. The client uses this list to send
a certificate signed by one of the acceptable CAs.

Under OpenSSL's server implementation, this list must be set manually
using some appropriate call, otherwise the list is empty. TLS 1.0[1]
does not state whether the list may be left blank, whereas TLS 1.1[2]
and 1.2[3] state that in case the list is blank, then the client *may*
send any certificate of a valid type (valid types are specified
elsewhere in the handshake).

OpenSSL clients seem to obey the behaviour specified in TLS 1.1+,
whereas at least curl+GnuTLS does not send any certificates if the list
is empty (which is not wrong per the spec, but also evidently not


Signed-off-by: default avatarApollon Oikonomopoulos <>
Reviewed-by: default avatarMichael Hanselmann <>
Reviewed-by: default avatarGuido Trotter <>
parent dbc4dda7
......@@ -550,6 +550,7 @@ class HttpSslParams(object):
self.ssl_key_pem = utils.ReadFile(ssl_key_path)
self.ssl_cert_pem = utils.ReadFile(ssl_cert_path)
self.ssl_cert_path = ssl_cert_path
def GetKey(self):
return OpenSSL.crypto.load_privatekey(OpenSSL.crypto.FILETYPE_PEM,
......@@ -609,6 +610,15 @@ class HttpBase(object):
# Also add our certificate as a trusted CA to be sent to the client.
# This is required at least for GnuTLS clients to work.
# This will fail for PyOpenssl versions before 0.10
except AttributeError:
# Fall back to letting OpenSSL read the certificate file directly.
return OpenSSL.SSL.Connection(ctx, sock)
def GetSslCiphers(self): # pylint: disable-msg=R0201
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment