Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #27141
| Path | csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <python-python-list@m.gmane.org> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.005 |
| X-Spam-Evidence | '*H*': 0.99; '*S*': 0.00; 'layers': 0.07; 'parameter': 0.07; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'subject:number': 0.09; 'anyway': 0.11; 'essential': 0.15; 'folks': 0.15; 'properly': 0.15; '(e.g.)': 0.16; 'certificate.': 0.16; 'design:': 0.16; 'discarded.': 0.16; 'received:80.91.229.3': 0.16; 'received:dip0.t-ipconnect.de': 0.16; 'received:plane.gmane.org': 0.16; 'received:t-ipconnect.de': 0.16; 'revocation': 0.16; 'least': 0.25; 'header:User-Agent:1': 0.26; 'looks': 0.26; 'checking': 0.27; "doesn't": 0.28; 'header:X -Complaints-To:1': 0.28; 'writes:': 0.29; 'case,': 0.29; 'becomes': 0.30; 'url:python': 0.32; 'could': 0.32; 'to:addr :python-list': 0.33; 'agree': 0.34; 'done': 0.34; 'certificate': 0.35; 'there': 0.35; 'received:org': 0.36; 'url:org': 0.36; 'url:library': 0.36; 'client': 0.36; 'should': 0.36; 'available.': 0.37; 'being': 0.37; 'skip:v 20': 0.37; 'subject:: ': 0.38; 'url:docs': 0.38; 'to:addr:python.org': 0.39; 'skip:" 10': 0.40; 'header:Received:5': 0.40; 'further': 0.61; 'subject:, ': 0.61; 'information': 0.63; 'information,': 0.63; 'serial': 0.66; 'received:217': 0.68; 'etc),': 0.84; 'url:cpython': 0.84; 'subject:skip:S 20': 0.91 |
| X-Injected-Via-Gmane | http://gmane.org/ |
| To | python-list@python.org |
| From | Dieter Maurer <dieter@handshake.de> |
| Subject | Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc |
| Date | Thu, 16 Aug 2012 07:24:50 +0200 |
| References | <CAGv_rMieX1hTzxuKXixC=2hm0es3VR-3tgNpGQTUgU42uk2+fw@mail.gmail.com> |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=iso-8859-1 |
| Content-Transfer-Encoding | 8bit |
| X-Gmane-NNTP-Posting-Host | pd9e09171.dip0.t-ipconnect.de |
| User-Agent | Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.22 (linux) |
| Cancel-Lock | sha1:85TSpF9O4xE9KavCxDLZQ1mwY8Q= |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.12 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <http://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <http://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Newsgroups | comp.lang.python |
| Message-ID | <mailman.3343.1345094704.4697.python-list@python.org> (permalink) |
| Lines | 30 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1345094704 news.xs4all.nl 6843 [2001:888:2000:d::a6]:33153 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:27141 |
Show key headers only | View raw
Gustavo Baratto <gbaratto@gmail.com> writes: > SSL.Socket.getpeercert() doesn't return essential information present in the > client certificate (issuer, serial number, not before, etc), and it looks it > is by design: > > > > http://docs.python.org/library/ssl.html#ssl.SSLSocket.getpeercert > > http://hg.python.org/cpython/file/b878df1d23b1/Modules/_ssl.c#l866 > > > > By deliberately removing all that information, further > verification/manipulation of the cert becomes impossible. > > Revocation lists, OCSP, and any other extra layers of certificate checking > cannot be done properly without all the information in the cert being > available. I agree with you that the information should not be discarded. > Is there anyway around this? There should be at least a flag for folks that > need all the information in the certificate. You could use the parameter "binary_form=True". In this case, you get the DER-encoded certificate and can analyse it with (e.g.) "openssl".
Back to comp.lang.python | Previous | Next | Find similar | Unroll thread
Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc Dieter Maurer <dieter@handshake.de> - 2012-08-16 07:24 +0200
csiph-web