« SqWebMail | Main | ZServerSSL X509_REMOTE_USER »

27 November 2004

ZServerSSL Client Cert-based Authentication

[M2Crypto]  [Software] 

Somebody asked me about client certificate-based authentication in ZServerSSL. I replied but somebody's freemail provider 554'ed the dynamically-assigned IP address that I happened to be using. I'm pasting the gist of my reply here in case somebody also visits my blog.

Suppose ssl_ctx is an SSL.Context instance. Look for the method invocation "ssl_ctx.set_verify()". In my examples it is typically 

    ssl_ctx.set_verify(SSL.verify_none, 10)

which means no client cert verification. If you look at line 787 of z2s.py, you'll see this chunk: 

    if X509_REMOTE_USER:
        ssl_ctx.set_verify(SSL.verify_peer, 10)
    else:
        ssl_ctx.set_verify(SSL.verify_none, 10)

Meaning, for Zope 2, client cert authentication is enabled if Zope is running in X509_REMOTE_USER mode.

I'll talk about X509_REMOTE_USER in a separate post.


Posted by ngps at 02:58 | Comments (0) | Trackbacks (0)
Comments
There is no comment.
Trackbacks
Please send trackback to:http://sandbox.rulemaker.net/ngps/166/tbping
There is no trackback.