Re: [tornado] Tornado and SSL client certificates

[Ben Darnell]

Not currently.  Tornado doesn't support SSL renegotiation, which would be necessary to request a client certificate after the HTTP request has already been read (and note that support for renegotiation is generally poor, so even if tornado supported it you'd need to test with all the clients you care about).  The best you can do for now is to run the parts that need client certificates on a different IP or port with a separate HTTPServer object.

-Ben

On Tue, Nov 6, 2012 at 4:50 AM, Joshua Downer <joshua...@gmail.com> wrote:

Hi,

I have a situation where I want to use SSL to encrypt traffic through an API, but I also have part of that API where I want to authenticate users using client certificates. I know that I can setup a tornado server to handle client certificates in general, but is it possible to make them URI specific?

-Josh

[Andrew Grigorev]

I guess he can use cert_reqs=ssl.CERT_OPTIONAL in ssl_options and check client certs in RequestHandlers where it is necessary. Or use nginx and place client certificate information in HTTP headers, which is probably a better solution.

08.11.2012 18:50, Ben Darnell пишет:

-- 
Andrew

[Joshua Downer]

Thanks for the help!