[issue18233] SSLSocket.getpeercertchain()
Christian Heimes
report at bugs.python.org
Sun Jul 21 01:42:20 CEST 2013
Christian Heimes added the comment:
>From Rietveld review:
---
http://bugs.python.org/review/18233/diff/8422/Modules/_ssl.c#newcode1203
Modules/_ssl.c:1203: chain = X509_STORE_CTX_get1_chain(store_ctx);
This isn't appropriate for this method. Specifically, you are asking for
the peer cert chain, which purposefully does not include root CA certs
that you trust. What you are giving here a complete validate chain from
a peer cert to a trusted root. This is a valuable piece of information,
but should be returned via another method (perhaps exposed in python as
get1chain in SSLContext). But this method should always return the
result of SSL_get_peer_cert_chain if a peer cert chain is available.
---
You are making a good point. I'm either going to split it up into two function or provide a way to look up a cert by issuer.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue18233>
_______________________________________
More information about the Python-bugs-list
mailing list