Signed client certificate not accepted by websocket server [migrated]

Want to set up authentication in a python websocket server which builds up its ssl context like:

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER) ctx.load_cert_chain('certificates/server_cert.pem', 'certificates/server_key.pem') ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_verify_locations('certificates/bob_cert.pem') 

Following the example in here (only for the creation of certificates) I created three keypairs and certificates, one for the websocket server and two client certs. As stated in the example I signed alice’s cert with the server cert and bob’s cert is self-signed.

If I now connect via bob’s cert and set verify_locations in the server as above, bob magically gets into the server (which doesn’t do more then echo back what you sent). But if I connect via alice’s cert (signed by server cert) I do not get accepted – getting a ConnectionResetError, the parameter verify_locations in the above code is then of course set to accept alice_cert.pem. For completion, below you find the code for ssl context creation of the client side (here for bob):

ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.check_hostname = True ctx.load_verify_locations('certificates/server_cert.pem') ctx.verify_mode = ssl.CERT_REQUIRED ctx.load_cert_chain('certificates/bob_cert.pem', 'certificates/bob_key.pem') 

What am I doing wrong or where did I misunderstand the tutorial I followed (link above), how can the unrelated (to the server cert) self-signed certificate used by bob (ISSUER CN=bob, SUBJ CN=bob) get access whereas alice cert which is signed by the server cert (ISSUER CN=localhost, SUBJ CN=alice) does get rejected?