Add SSL_CTX_set_client_cert_engine

[tiran]

BPO	28695
Nosy	@tiran, @belolap, @Muffo, @bryan-hunt

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = None
created_at = <Date 2016-11-15.11:01:28.785>
labels = ['expert-SSL', 'type-bug', '3.8']
title = 'Add SSL_CTX_set_client_cert_engine'
updated_at = <Date 2018-07-31.22:18:46.537>
user = 'https://github.com/tiran'

bugs.python.org fields:

activity = <Date 2018-07-31.22:18:46.537>
actor = 'bryguy'
assignee = 'christian.heimes'
closed = False
closed_date = None
closer = None
components = ['SSL']
creation = <Date 2016-11-15.11:01:28.785>
creator = 'christian.heimes'
dependencies = []
files = []
hgrepos = []
issue_num = 28695
keywords = []
message_count = 7.0
messages = ['280830', '283782', '283842', '283903', '287796', '287797', '287798']
nosy_count = 4.0
nosy_names = ['christian.heimes', 'gik', 'Andrea Grandi', 'bryguy']
pr_nums = []
priority = 'normal'
resolution = None
stage = 'needs patch'
status = 'open'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue28695'
versions = ['Python 3.8']

[tiran]

Python's ssl module does not support smartcard authentication of clients.
In order to use an external engine like OpenSC's engine_pkcs11, SSLContext must be configured to use a loaded engine for client cert auth. It's really simple. Pseudo code without error reporting, engine_id is a char*:

ENGINE *e = ENGINE_by_id(engine_id);
SSL_CTX_set_client_cert_engine(ctx, e);

[belolap]

Why not to call OPENSSL_config() to use openssl.cnf?

--- ./Modules/_ssl.c.orig       2016-12-21 23:30:36.277184891 +0300
+++ ./Modules/_ssl.c    2016-12-21 23:35:18.488508435 +0300
@@ -4514,6 +4514,8 @@
     PySocketModule = *socket_api;
 
     /* Init OpenSSL */
+    OPENSSL_config(NULL);
+
     SSL_load_error_strings();
     SSL_library_init();
 #ifdef WITH_THREAD

(Patch for example, for 3.5.2 source, not try to compile)

[tiran]

OPENSSL_config() is deprecated. I'm going to wrap CONF_modules_load_file(), CONF_modules_load() and NCONF_load_bio().

[muffo]

What about using OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL) instead of OPENSSL_config()?

[belolap]

Is there any news?

[tiran]

I haven't started to design the new feature yet. Since it is going to be a new feature and feature freeze of 3.7 is 2018-01-29, I'm going to start working on new stuff around in April or May for PyCon.

[belolap]

Ok, thank you.

[alonbl]

Hello,
Any news? it is important to be able to use private key from external devices and it fairly trivial to let openssl implement this. In future it can be extended but for now, please support it with minimal effort.
Thanks,

[krishnan793]

Any update on this? Can you share if it's possible to have a local patch to enable this?

[joenpera]

3.13.0 is out. Any update to this?

[tschenkelz]

Would also really appreciate it to get Mutual TLS handshake done using yubikey PIV

[aryeht]

mTLS handshake example with asyncio tested on the TPM device on a regular laptop available here: tpm2-software/tpm2-tools#3461

[tschenkelz]

I guess tpm is somehow different then (proper) smartcards. They are designed to prevent you from obtaining the private key that's stored on it. So there is no way to put it into a .pem file.