This post originated from an RSS feed registered with Python Buzz by Ng Pheng Siong. Original Post: ZServerSSL Client Cert-based Authentication Feed Title: (render-blog Ng Pheng Siong) Feed URL: http://sandbox.rulemaker.net/ngps/rdf10_xml Feed Description: Just another this here thing blog. Latest Python Buzz Posts Latest Python Buzz Posts by Ng Pheng Siong Latest Posts From (render-blog Ng Pheng Siong)

Somebody asked me about client certificate-based authentication in ZServerSSL. I replied but somebody's freemail provider 554'ed the dynamically-assigned IP address that I happened to be using. I'm pasting the gist of my reply here in case somebody also visits my blog.

Suppose ssl_ctx is an SSL.Context instance. Look for the method invocation "ssl_ctx.set_verify()". In my examples it is typically

    ssl_ctx.set_verify(SSL.verify_none, 10)

which means no client cert verification. If you look at line 787 of z2s.py, you'll see this chunk:

    if X509_REMOTE_USER:
        ssl_ctx.set_verify(SSL.verify_peer, 10)
    else:
        ssl_ctx.set_verify(SSL.verify_none, 10)

Meaning, for Zope 2, client cert authentication is enabled if Zope is running in X509_REMOTE_USER mode.

I'll talk about X509_REMOTE_USER in a separate post.