Add client authentication to tls.TLSSocket()

wbond / oscrypto

Compiler-free Python crypto library backed by the OS, supporting CPython and PyPy

MIT License

318 stars 71 forks source link

Add client authentication to tls.TLSSocket() #4

Open wbond opened 8 years ago

wbond commented 8 years ago

The most complicated part of this is testing. We need to find a reliable way to test various scenarios including:

Successful authentication
Invalid authentication
Weak certificate authentication?

Ideally we would use something like tls-o-matic.com, however they do not provide good and bad client certs to test with.

I have no interest in creating a VM for this since it will complicate testing.

glyph commented 8 years ago

You may find https://badssl.com useful :)

wbond commented 8 years ago

I use badssl.com and tls-o-matic.com in the tests already. Unfortunately badssl.com doesn't have client auth, I don't believe. And tls-o-matic doesn't seem configured quite right to allow generating various test cases from.

karlw00t commented 8 years ago

How should the client act when you have two valid client certificates in the OS trust store?

wbond commented 7 years ago

Eventually I ran into issues with tls-o-matic.com downtime. Combined with the need to be able to provide tests for client certs, caused me to write https://github.com/wbond/badtls.io.

It is designed in such a way that it is fairly easy to add new configurations, although it is tightly-coupled to nginx (and socat) right now. For an enterprising soul, it shouldn't be too hard to add Apache configs.

This gets us the ability to test against a server that allows client auth and requires client auth. However, it only tests interactions with OpenSSL (through nginx for the optional auth, and socat for the required auth). While not a strict requirement for CI, it would be good to test with some other TLS servers, such as IIS, Apache, a Go server, and a Java server.

jsfrerot commented 4 years ago

simply adding comment to say that this is a feature I would like to see implemented. I've encountered an issue while trying to validate certificate on servers that requires ssl

authentication:
oscrypto.errors.TLSError: TLS handshake failed - client authentication required

wbond commented 4 years ago

Unfortunately I don't really have time to work on oscrypto these days - it does most of what I've needed, and my projects using it are in need or work before I would have time to invest in this library.

I am open to someone taking up the torch to do the research and implementation of what APIs in OpenSSL, Security Framework (Mac) and SChannel (Windows) need to be called to set up client auth. I can certainly give pointers and review code.