SSLSocket.getpeercert() doesn't return issuer, serial number, etc
Dieter Maurer
dieter at handshake.de
Thu Aug 16 01:24:50 EDT 2012
Gustavo Baratto <gbaratto at gmail.com> writes:
> SSL.Socket.getpeercert() doesn't return essential information present in the
> client certificate (issuer, serial number, not before, etc), and it looks it
> is by design:
>
>
>
> http://docs.python.org/library/ssl.html#ssl.SSLSocket.getpeercert
>
> http://hg.python.org/cpython/file/b878df1d23b1/Modules/_ssl.c#l866
>
>
>
> By deliberately removing all that information, further
> verification/manipulation of the cert becomes impossible.
>
> Revocation lists, OCSP, and any other extra layers of certificate checking
> cannot be done properly without all the information in the cert being
> available.
I agree with you that the information should not be discarded.
> Is there anyway around this? There should be at least a flag for folks that
> need all the information in the certificate.
You could use the parameter "binary_form=True".
In this case, you get the DER-encoded certificate and can analyse
it with (e.g.) "openssl".
More information about the Python-list
mailing list