Skip to content

Commit ea0b73f

Browse files
committed
PEP 748: certificate_chain is mandatory server-side
TLS 1.3 and secure TLS 1.2 both require a certificate and private key server-side. Making the parameter mandatory makes it explicit that one is required. It still is optional client-side.
1 parent 6e61445 commit ea0b73f

1 file changed

Lines changed: 12 additions & 2 deletions

File tree

peps/pep-0748.rst

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -316,6 +316,11 @@ A ``trust_store`` is mandatory and is used to validate the server certificates.
316316
It uses the system's trust store by default. Insecure connections are only
317317
possible via the :ref:`insecure` module.
318318

319+
When ``certificate_chain`` is set, it is a single signing chain comprising a
320+
leaf client certificate including its corresponding private key and optionally a
321+
list of intermediate certificates. These certificates will be offered to the
322+
server during the handshake if required.
323+
319324
Server Configuration
320325
^^^^^^^^^^^^^^^^^^^^
321326

@@ -335,7 +340,7 @@ The ``TLSServerConfiguration`` class would be defined by the following code:
335340
336341
def __init__(
337342
self,
338-
certificate_chain: Sequence[SigningChain] | None = None,
343+
certificate_chain: Sequence[SigningChain],
339344
ciphers: Sequence[CipherSuite] | None = None,
340345
inner_protocols: Sequence[NextProtocol | bytes] | None = None,
341346
lowest_supported_version: TLSVersion | None = None,
@@ -353,7 +358,7 @@ The ``TLSServerConfiguration`` class would be defined by the following code:
353358
self._trust_store = trust_store
354359
355360
@property
356-
def certificate_chain(self) -> Sequence[SigningChain] | None:
361+
def certificate_chain(self) -> Sequence[SigningChain]:
357362
return self._certificate_chain
358363
359364
@property
@@ -376,6 +381,11 @@ The ``TLSServerConfiguration`` class would be defined by the following code:
376381
def trust_store(self) -> TrustStore | None:
377382
return self._trust_store
378383
384+
Server authentication is mandatory, at least one signing chain comprising a leaf
385+
server certificate including its corresponding private key and optionally a list
386+
of intermediate certificates. It is possible to set more than a single signing
387+
chain to support multiple virtual hosts.
388+
379389
A ``trust_store`` is optional. Setting one enables client authentication and
380390
uses the trust store to validate the client certificates. Leaving it ``None``
381391
disables client authentication.

0 commit comments

Comments
 (0)