irmen
commented
3 years ago CA_CERTS is undocumented (my mistake - I'll try to rectify that)
You should be able to not only put a filename for a *.pem file in there, but alternatively, a directory path containing certs. In that case, Pyro is passing it to the ssl.context object it gets from sl.create_default_context(), as capath parameter... of which the python documentation says: "The capath string, if present, is the path to a directory containing several CA certificates in PEM format, following an OpenSSL specific layout."
If that doesn't work I'm not sure how to proceed. Are you getting an error of some sort? Perhaps you could investigate that particular Python ssl module method call? I must confess I am unfamiliar with its specifics regarding this and was just following the documentation.
Is it possible to use 2-way SSL when also using a nameserver to look up Pyro objects on other remote computers? I've been having a lot of trouble with the self-signed certificates, since setting
config.SSL_CACERTSto a directory to allow for multiple acceptable client certificates doesn't seem to work for me. Perhaps I'm not storing the certificates correctly in that directory, I'm saving them as<HASH-VALUE>.0, but Pyro doesn't seem to like using directories for CA_CERTS?One of the biggest problems is that I use a certificate for the nameserver, a certificate for the object server, and a certificate for the client, but the object server has to authenticate the certificate for both the nameserver (when it's trying to register the Pyro object) using
locate_ns()as well as the client when it tries to connect (and they're different certificates). And it doesn't seem right to use just the same single certificate between all three computers.Is this a scenario you have encountered before, and can Pyro5 be configured to handle it?