Path: csiph.com!usenet.pasdenom.info!aioe.org!news.stack.nl!newsfeed.xs4all.nl!newsfeed6.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.005 X-Spam-Evidence: '*H*': 0.99; '*S*': 0.00; 'layers': 0.07; 'parameter': 0.07; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'subject:number': 0.09; 'anyway': 0.11; 'essential': 0.15; 'folks': 0.15; 'properly': 0.15; '(e.g.)': 0.16; 'certificate.': 0.16; 'design:': 0.16; 'discarded.': 0.16; 'received:80.91.229.3': 0.16; 'received:dip0.t-ipconnect.de': 0.16; 'received:plane.gmane.org': 0.16; 'received:t-ipconnect.de': 0.16; 'revocation': 0.16; 'least': 0.25; 'header:User-Agent:1': 0.26; 'looks': 0.26; 'checking': 0.27; "doesn't": 0.28; 'header:X -Complaints-To:1': 0.28; 'writes:': 0.29; 'case,': 0.29; 'becomes': 0.30; 'url:python': 0.32; 'could': 0.32; 'to:addr :python-list': 0.33; 'agree': 0.34; 'done': 0.34; 'certificate': 0.35; 'there': 0.35; 'received:org': 0.36; 'url:org': 0.36; 'url:library': 0.36; 'client': 0.36; 'should': 0.36; 'available.': 0.37; 'being': 0.37; 'skip:v 20': 0.37; 'subject:: ': 0.38; 'url:docs': 0.38; 'to:addr:python.org': 0.39; 'skip:" 10': 0.40; 'header:Received:5': 0.40; 'further': 0.61; 'subject:, ': 0.61; 'information': 0.63; 'information,': 0.63; 'serial': 0.66; 'received:217': 0.68; 'etc),': 0.84; 'url:cpython': 0.84; 'subject:skip:S 20': 0.91 X-Injected-Via-Gmane: http://gmane.org/ To: python-list@python.org From: Dieter Maurer Subject: Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc Date: Thu, 16 Aug 2012 07:24:50 +0200 References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Gmane-NNTP-Posting-Host: pd9e09171.dip0.t-ipconnect.de User-Agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.4.22 (linux) Cancel-Lock: sha1:85TSpF9O4xE9KavCxDLZQ1mwY8Q= X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 30 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1345094704 news.xs4all.nl 6843 [2001:888:2000:d::a6]:33153 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:27141 Gustavo Baratto writes: > SSL.Socket.getpeercert() doesn't return essential information present in the > client certificate (issuer, serial number, not before, etc), and it looks it > is by design: > > > > http://docs.python.org/library/ssl.html#ssl.SSLSocket.getpeercert > > http://hg.python.org/cpython/file/b878df1d23b1/Modules/_ssl.c#l866 > > > > By deliberately removing all that information, further > verification/manipulation of the cert becomes impossible. > > Revocation lists, OCSP, and any other extra layers of certificate checking > cannot be done properly without all the information in the cert being > available. I agree with you that the information should not be discarded. > Is there anyway around this? There should be at least a flag for folks that > need all the information in the certificate. You could use the parameter "binary_form=True". In this case, you get the DER-encoded certificate and can analyse it with (e.g.) "openssl".