[Python-ideas] Expose reasons for SSL/TLS cert verification failures
Christian Heimes
christian at python.org
Fri Sep 9 13:16:13 EDT 2016
On 2016-09-09 12:23, Chi Hsuan Yen wrote:
> Hi Python enthusiasts,
>
> Currently _ssl.c always reports CERTIFICATE_VERIFY_FAILED for any
> certification verification errors. In OpenSSL, it's possible to tell
> from different reasons that lead to CERTIFICATE_VERIFY_FAILED. For
> example, https://expired.badssl.com/ reports
> X509_V_ERR_CERT_HAS_EXPIRED, and https://self-signed.badssl.com/ reports
> X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Seems CPython does not expose
> such information yet? I hope it can be added to CPython. For example,
> creating a new exception class SSLCertificateError, which is a subclass
> of SSLError, that provides error codes like
> X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. Any ideas?
>
> The attachment is a naive try to printf some information about a
> verification failure. It's just a proof-of-concept and does not provide
> any practical advantage :)
I'm planning to add a proper validation hook to 3.7. I haven't had time
to design and implement it for 3.6.
Christian
More information about the Python-ideas
mailing list