Get client certificate properties

[nandu8201]

Long story short

I am running a aiohttp server using the web application module. To perform mutual TLS, I need to authenticate and verify the client certificates along with a few properties(client id) inside the certificate. I am unable to retrieve the client's certificate through the request. They seem to be not present in the request object nor there is a client object I can pull these details from. Following is an example of who this can be done in Flask.
https://www.ajg.id.au/2018/01/01/mutual-tls-with-python-flask-and-werkzeug/

Is there a mechanism to do the same with aiohttp?

Expected behaviour

Ability to pull client certificate details on the server side.

Actual behaviour

Currently there are no client certificate details in the request

Steps to reproduce

async def middleware(self, request, handler):
pass

cert = "cert.pem"
key = "key.pem"
app = web.Application(middlewares=[middleware])
ssl_context = ssl.create_default_context(purpose=ssl.Purpose.CLIENT_AUTH)
ssl_context.load_cert_chain(certfile=cert, keyfile=key)
web.run_app(app, port=443, ssl_context=ssl_context)

[aio-libs-bot]

GitMate.io thinks the contributor most likely able to help you is @asvetlov.

Possibly related issues are #2547 (Drop deprecated request.GET property), #1309 (Client Tracing), #2849 (Getting Connection closed with aiohttp client), #2865 (Improve client timeouts), and #1661 (Client exceptions refactoring).

[asvetlov]

Use request.transport for getting an asyncio transport used for serving the request.
The SSL transport has useful extra info like peercert and ssl_object: https://docs.python.org/3/library/asyncio-protocol.html?highlight=peercert#asyncio.BaseTransport.get_extra_info

E.g., request.transport.get_extra_info("peercert") gives you a certificate.

[nandu8201]

That is not be working. Here is the example of both server and client.

server.py

from aiohttp import web
import ssl

async def handle(request):
    name = request.match_info.get('name', "Anonymous")
    peercert = request.transport.get_extra_info("peercert")
    print(peercert)
    text = "Hello, " + name
    return web.Response(text=text)

app = web.Application()
app.router.add_get('/', handle)
app.router.add_get('/{name}', handle)

cert = 'some.crt'
key = 'some.key'
ca_cert = 'myCA.pem'

ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH, cafile=ca_cert)
ssl_context.verify_mode = ssl.CERT_OPTIONAL
ssl_context.load_cert_chain(cert, key)
web.run_app(app, ssl_context=ssl_context, port=8443)

client.py

import requests
cert = 'some.crt'

r = requests.get("https://<HOST_NAME>:8443", verify=cert)
print(r.text)

[asvetlov]

Could you please save my time and describe what doesn't work?

[J4nsen]

Works in my use case, which is retrieving a client's certificate (TLS mutual auth).

[tallgaijin]

Should this work on the client side to get the server's SSL certificate details also?

EDIT: figured it out. response.connection.transport.get_extra_info("peercert") works.