Reputation: 1403
hypercorn: client-certificate verification
I'm trying to enable client certificate validation in hypercorn. If it matters, I'm using FastAPI. The documentation directs me to use the --verify-mode parameter and states simply:
SSL verify mode for peer’s certificate, see ssl.VerifyMode enum for possible values.
I tried a few guesses but get a fatal error: "hypercorn: error: argument --verify-mode: Not a valid verify mode"
I poked around a bit and found this code in the project history:
if self.verify_mode is not None:
context.verify_mode = self.verify_mode
So I did this to verify the valid values (Python 3.8):
>>> import ssl
>>> context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
>>> context.verify_mode
<VerifyMode.CERT_NONE: 0>
>>> context.verify_mode = 1
>>> context.verify_mode
<VerifyMode.CERT_OPTIONAL: 1>
>>> context.verify_mode = 2
>>> context.verify_mode
<VerifyMode.CERT_REQUIRED: 2>
>>> context.verify_mode = 4
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "...ssl.py", line 720, in verify_mode
super(SSLContext, SSLContext).verify_mode.__set__(self, value)
ValueError: invalid value for verify_mode
However trying to pass 0, 1, or 2 to --verify-mode all give the "Not a valid verify mode" error. I am able to pass these values using --cert-reqs with the warning "Warning: Please use verify_mode instead" but it starts and based on the code I see in config.py, it seems like this does the right thing and sets the SSLContext verify_mode value.
Unfortunately, this doesn't seem to do anything. I would expect to be prompted for a client certificate when I do a GET in the browser or at least an error since it is set to 'required'. But instead, I get a good 200 error code response.
I can't find any good examples, tutorials, or documentation about doing this with hypercorn. Is there something else here that I need to do such as setting some other properties? Any guidance is appreciated.
Upvotes: 1
Views: 1363
Answers (1)
Reputation: 1403
I initially thought that cert-reqs wasn't doing anything. However in working on something else, I found that this was a result of phantom processes likely created because I was using the --reload flag. I am now prompted for a client-certificate when the cert-reqs option is set to 1 or 2. I am still getting a warning and I believe the verify-mode option is not working properly but the underlying behavior seems OK.
Upvotes: 1
Related Questions
- Validate SSL certificates with Python
- How to validate / verify an X509 Certificate chain of trust in Python?
- Mutual authentication using a client certificate in python
- How to do client certificate verification (mTLS) in Starlette/FastAPI
- Python client certicate request fails on Ubuntu
- aiohttp and client-side SSL certificates
- Python client - SSL lib - certificate verify failed
- SSL verification python server/python
- Validating client certificates in PyOpenSSL
- certificates for client side in tls