Adding support for client certificate verification in SSLAdapter (patch included)
= Enhancement = Adding support for client SSL certificate verification to wsgiserver's SSLAdapter
= Reason = SSL support is critical for modern webservers to provide secure services to users. However, there are times when applications running behind the webservers need to determine which clients are actually communicating them. While HTTP basic_auth can provide authentication, SSL provides another means to verify client identity: client certification verification.
Similar to the server providing its SSL certificate, when client verification is in use, clients must provide a certificate signed by a CA that the server recognizes in order for the client to be allowed to connect.
= Changes = This patch adds another optional keyword argument to the SSLAdapter init() called ''client_CA''. ''client_CA'' is a string that contains a path to a CA certificate. When client_CA is present, the SSLAdapter knows to perform client verification using this CA. When absent, SSLAdapter behaves as before, ie with no client verification.
= Bugs/Issues = While verification is performed correctly for both the ssl_pyopenssl SSLAdapter and the ssl_builtin SSLAdapter, the different implementations provide varying levels of support for SSL client environment variables that are traditionally provided by Apache's mod_ssl. See this page for details [http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 Mod_SSL Environment Variables].
ssl_pyopenssl currently provides '''no''' client environment variables due to the fact that the SSL handshake and thus the access to the client's certificate occurs at first data transfer - well after the environment variables are set by the SSLAdapter wrap() function.
ssl_builtin provides minimal environment variables. The major limiting factor is that python's builtin ssl routines only expose a small amount of information about the certificates, and then only for the client certificate. This problem will be difficult to fix if ssl_builtin must depend solely on python's ssl.
= Patch = See attached Diff
Reported by email@example.com