Add server config option controlling certificate client auth

This change adds a server configuration option to control the enforcement of TLS certificate client authentication. Before, client TLS certificates had to include the extended key usage extension with the clientAuth bit set to be used as sources of client identity. The new configuration option, enable_tls_client_auth, allows server admins to enable/disable this requirement. The configuration setting is optional and the server defaults to the original enforcing behavior if it is not set. Admins must explicitly set the option to False to disable enforcement.
2025-12-22 19:23:27 +00:00 · 2017-09-05 14:55:49 -04:00
parent 2915bf5f11
commit 4c6bbae452
6 changed files with 158 additions and 41 deletions
--- a/kmip/tests/unit/services/server/test_server.py
+++ b/kmip/tests/unit/services/server/test_server.py
@@ -119,7 +119,8 @@ class TestKmipServer(testtools.TestCase):
            '/etc/pykmip/certs/server.key',
            '/etc/pykmip/certs/ca.crt',
            'Basic',
-            '/etc/pykmip/policies'
+            '/etc/pykmip/policies',
+            False
        )

        s.config.load_settings.assert_called_with('/etc/pykmip/server.conf')
@@ -142,6 +143,10 @@ class TestKmipServer(testtools.TestCase):
            'policy_path',
            '/etc/pykmip/policies'
        )
+        s.config.set_setting.assert_any_call(
+            'enable_tls_client_auth',
+            False
+        )

        # Test that an attempt is made to instantiate the TLS 1.2 auth suite
        s = server.KmipServer(