Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #27141 > unrolled thread
| Started by | Dieter Maurer <dieter@handshake.de> |
|---|---|
| First post | 2012-08-16 07:24 +0200 |
| Last post | 2012-08-16 07:24 +0200 |
| Articles | 1 — 1 participant |
Back to article view | Back to comp.lang.python
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc Dieter Maurer <dieter@handshake.de> - 2012-08-16 07:24 +0200
| From | Dieter Maurer <dieter@handshake.de> |
|---|---|
| Date | 2012-08-16 07:24 +0200 |
| Subject | Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc |
| Message-ID | <mailman.3343.1345094704.4697.python-list@python.org> |
Gustavo Baratto <gbaratto@gmail.com> writes: > SSL.Socket.getpeercert() doesn't return essential information present in the > client certificate (issuer, serial number, not before, etc), and it looks it > is by design: > > > > http://docs.python.org/library/ssl.html#ssl.SSLSocket.getpeercert > > http://hg.python.org/cpython/file/b878df1d23b1/Modules/_ssl.c#l866 > > > > By deliberately removing all that information, further > verification/manipulation of the cert becomes impossible. > > Revocation lists, OCSP, and any other extra layers of certificate checking > cannot be done properly without all the information in the cert being > available. I agree with you that the information should not be discarded. > Is there anyway around this? There should be at least a flag for folks that > need all the information in the certificate. You could use the parameter "binary_form=True". In this case, you get the DER-encoded certificate and can analyse it with (e.g.) "openssl".
Back to top | Article view | comp.lang.python
csiph-web