Overview:
- The creation of an SSLContext object is the first step required in creation of any SSL based program in Python: be it a server program or a client program.
- Once an SSLContext is created, certain security polices can be defined before proceeding to create an SSLSocket instance for securely communicating using that context.
- One such important policy is, whether the host expects an X.509 certificate from its peer and what to do when that policy is not met.
- This policy on the certificate requirements of a host expected out of its peer is defined through the SSLContext.verify_mode attribute.
- The valid values for this attribute of SSLContext class are:
- CERT_REQUIRED
- CERT_OPTIONAL
- CERT_NONE
CERT_REQUIRED:
- When CERT_REQUIRED is specified at the context instance of the server side, every client connected to the server is asked to provide its X.509 certificate.The client certificate is validated. If the client certificate is not supplied or if the validation fails, an SSLError is raised.
- For a server, as long as the client certificate is valid, it is fine for the server to go ahead with the further communication. It is not required to verify the host name of a client, as the server in question generally serves the public domain(numerous clients). For example, some clients would have by mistake connected to a news website but it is ok for a server to go ahead and serve the pages as no security/policy risk involved here.
- It is not the same with a client when it connects to a server. Apart from validating the server's certificate, it also has to validate the host name to make sure that every-time a client indeed is connected to the right server. Hence, for the successful validation of server's certificate at the client side, along with assigning CERT_REQUIRED to the attribute SSLContext.verify_mode, SSLContext.check_hostname has also to be made True.
CERT_OPTIONAL:
- When ssl.CERT_OPTIONAL is specified at the server side, it is optional for the client to send its X.509 certificate to the server. If the server is supplied with the client certificate it is validated. If the certificate is not sent by the client no SSLError is raised by the server and the communication between the two hosts still continues.
- When ssl.CERT_OPTIONAL is assigned to the SSLContext attribute verify_mode at client side, it is the same as specifying the ssl.CERT_REQUIRED. The client will ask for the server certificate to be sent.
CERT_NONE:
- When specified at the server side, the server does not request any X.509 certificate from the client side.
- When specified at the client side, the client will say ok to even an expired X.509 certificate from the server.