python-trio · njsmith · Jan 14, 2019 · Dec 30, 2018 · Dec 30, 2018 · Dec 30, 2018
diff --git a/.gitignore b/.gitignore
@@ -63,3 +63,6 @@ coverage.xml
 
 # Sphinx documentation
 doc/_build/
+
+# pyenv
+.python-version
diff --git a/docs/source/trustme-trio-example.py b/docs/source/trustme-trio-example.py
@@ -6,6 +6,7 @@
 # Create our fake certificates
 ca = trustme.CA()
 server_cert = ca.issue_cert(u"test-host.example.org")
+client_cert = ca.issue_cert(u"client@example.org")
 
 
 async def demo_server(server_raw_stream):
@@ -15,6 +16,13 @@ async def demo_server(server_raw_stream):
     # Set up the server's SSLContext to use our fake server cert
     server_cert.configure_cert(server_ssl_context)
 
+    # Set up the server's SSLContext to trust our fake CA, that signed
+    # our client cert, so that it can validate client's cert.
+    ca.configure_trust(server_ssl_context)
+
+    # Verify that client sent us their TLS cert signed by a trusted CA
+    server_ssl_context.verify_mode = trio.ssl.CERT_REQUIRED
+
     server_ssl_stream = trio.ssl.SSLStream(
         server_raw_stream,
         server_ssl_context,
@@ -23,15 +31,20 @@ async def demo_server(server_raw_stream):
 
     # Send some data to check that the connection is really working
     await server_ssl_stream.send_all(b"x")
+    print("Server successfully sent data over the encrypted channel!")
+    print("Client cert looks like:", server_ssl_stream.getpeercert())
 
 
 async def demo_client(client_raw_stream):
     client_ssl_context = trio.ssl.create_default_context()
 
-    # Set up the client's SSLContext to trust our fake CA, that signed our
-    # server cert
+    # Set up the client's SSLContext to trust our fake CA, that signed
+    # our server cert, so that it can validate server's cert.
     ca.configure_trust(client_ssl_context)
 
+    # Set up the client's SSLContext to use our fake client cert
+    client_cert.configure_cert(client_ssl_context)
+
     client_ssl_stream = trio.ssl.SSLStream(
         client_raw_stream,
         client_ssl_context,
@@ -42,7 +55,7 @@ async def demo_client(client_raw_stream):
 
     assert await client_ssl_stream.receive_some(1) == b"x"
     print("Client successfully received data over the encrypted channel!")
-    print("Cert looks like:", client_ssl_stream.getpeercert())
+    print("Server cert looks like:", client_ssl_stream.getpeercert())
 
 
 async def main():