5.5.19.2. ServerCertificateVerifier methods

MethodDescription
__init__(self, ca_directory, crl_directory, trusted_certs_directory, trusted, verify_depth, verify_ca_directory, verify_crl_directory, permit_invalid_certificates, permit_missing_crl, check_subject) Constructor to initialize a ServerCertificateVerifier instance.

Table 5.52. Method summary

Method __init__(self, ca_directory, crl_directory, trusted_certs_directory, trusted, verify_depth, verify_ca_directory, verify_crl_directory, permit_invalid_certificates, permit_missing_crl, check_subject)

This constructor defines a ServerCertificateVerifier with the specified parameters.

Arguments of __init__
ca_directory (string)
Default: ""
Directory where the trusted CA certificates are stored. Note that when handling an SSL or TLS connection and the ca_directory parameter is set, Zorp loads every certificate available in this directory, and this might require a huge amount of memory. If the verify_type parameter is set to verify peer certificates, Zorp sends the subject names of CA certificates stored in this directory to the peer to request a certificate from these CAs. Unless you are authenticating the peers based on their certificates, use the verify_ca_directory option instead. Use of ca_directory option is deprecated.

check_subject (boolean)
Default: TRUE
If the check_subject parameter is TRUE, Zorp compares the Subject of the server-side certificate with application-layer information (for example, it checks whether the Subject matches the hostname in the URL). For details, see Section 3.2.5, Certificate verification options.

crl_directory (string)
Default: ""
Directory where the CRLs associated with the trusted CAs are stored. Note that when handling an SSL or TLS connection and the crl_directory parameter is set, Zorp loads every CRL available in this directory, and this might require a huge amount of memory. Unless you are authenticating the peers based on their certificates, use the verify_crl_directory option instead. Use of crl_directory option is deprecated.

permit_invalid_certificates (boolean)
Default: FALSE
When permit_invalid_certificates is TRUE and trusted is FALSE, Zorp accepts even invalid certificates, for example, expired or self-signed certificates.

permit_missing_crl (boolean)
Default: FALSE
This option has effect only if the verify_crl_directory parameter is set. If Zorp does not find a CRL in these directories that matches the CAs in the certificate chain and permit_missing_crl is set to FALSE, Zorp rejects the certificate. Otherwise, the certificate is accepted even if no matching CRL is found.

Available only in Zorp version 3.4.3 and later.

trusted (boolean)
Default: TRUE
If the peer shows a certificate and the trusted parameter is TRUE, only certificates signed by a trusted CA are accepted.

trusted_certs_directory (string)
Default: ""
A directory where trusted IP address - certificate assignments are stored. When a peer from a specific IP address shows the certificate stored in this directory, it is accepted regardless of its expiration or issuer CA. Each file in the directory should contain a certificate in PEM format. The filename must bethe IP address.

verify_ca_directory (string)
Default: ""
Directory where the trusted CA certificates are stored. CA certificates are loaded on-demand from this directory when Zorp verifies the certificate of the peer.

Available only in Zorp version 3.4.3 and later.

verify_crl_directory (string)
Default: ""
Directory where the CRLs (Certificate Revocation Lists) associated with trusted CAs are stored. CRLs are loaded on-demand from this directory when Zorp verifies the certificate of the peer.

Available only in Zorp version 3.4.3 and later.

verify_depth (integer)
Default: 4
The length of the longest accepted CA verification chain. Zorp will automatically reject longer CA chains.

Previous Up Next
 Home