[Twisted-Python] twisted.web HTTPS client certificate

Mon Jul 12 01:35:50 MDT 2021

> On Jul 12, 2021, at 12:07 AM, Ian Haywood <ian at haywood.id.au> wrote:
> 
> I am trying to work out how to retrieve on the server a X.509 certificate presented by the HTTPS client.  This code tries to tell me the transport has no peer certificate.
> 
> same error when I use wget as a client so I think my problem is in the server code. I'm using self-signed certificates
> 
> Any clues as to what I'm doing wrong?

It's been quite a while since I tried to do this, but:

For starters, you need to specify the certificate authority that will be validating your client's certificates.  I forget the precise specifics, but I believe if you don't specify a CA that will be used, it won't prompt the client to present a certificate in the first place, and also there's nothing for your endpoint to validate against, so what would it even do if the client did present one, other than let you retrieve it? The point is not to inspect the certificate but to authenticate it, an API that let you inspect it without first validating it against a CA would be a security nightmare.  And generally client certs are not understood to be validated by webtrust CAs, so "just validate it like usual" doesn't apply, since you can't check the SANs for a hostname.

There's a guide to doing this programmatically here: https://docs.twistedmatrix.com/en/twisted-21.2.0/core/howto/ssl.html#tls-server-with-client-authentication-via-client-certificate-verification <https://docs.twistedmatrix.com/en/twisted-21.2.0/core/howto/ssl.html#tls-server-with-client-authentication-via-client-certificate-verification> - I believe that this edge-case is not supported by endpoints.serverFromString.

If it's within your control to avoid, don't use client certificate authentication from HTTPS clients.  It unnecessarily leaks a bunch of peripheral information to the service you're authenticating to, the UX is a disaster on basically every browser, and most of the big players have stopped caring about this use-case in favor of things like webauthn that properly exist entirely outside of the setup process for a secure channel.  I confess I used to think client cert auth was really cool myself, but luckily nothing I did with it ever took off :-).

That said: as long as the use-case exists, Twisted should have good support for it.  Adding a clientCA argument to twisted.internet.endpoints._parseSSL so that serverFromString would support it would be a pretty simple PR to put together, so if you've got to bite the bullet on this, a contribution to close the gap here would be appreciated.  Twisted is nothing if not a tool that should make it seamless to integrate with every bad idea anyone's had in a protocol design ;-).

-g

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/twisted-python/attachments/20210712/29f44ee4/attachment.htm>