[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates
Christian Heimes
report at bugs.python.org
Tue Jun 25 01:30:36 CEST 2013
Christian Heimes added the comment:
I'm setting the version to 3.4 as this is a feature request. 2.7 and 3.3 are in feature freeze mode.
OpenSSL doesn't support our idea out of the box. OpenSSL either verifies the peer's certificate and chain or doesn't verify the peer's certificate and chain. Optional and required verification makes only a different for client side certs. Server side certs are always verified in both modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES
When you are talking to a server the peer's certificate is always available, even in SSL_VERIFY_NONE mode. The server cert's public key is required to asymmetrically encrypt part of the session key. It's Python's ssl module that doesn't return the cert information in getpeercert() when SSL_CTX_get_verify_mode() doesn't have SSL_VERIFY_PEER. You can still get the DER encoded peer cert with getpeercert(True).
Now for something completely different: Without verification and the correct root cert it's not possible to get the root cert of a peer's chain (see issue #18233). AFAIK SSL doesn't provide the full root cert as part of the peer chain because the other side is suppose the have a copy of the chain root anyway. Different story, though.
----------
versions: +Python 3.4 -Python 2.7, Python 3.3
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue18293>
_______________________________________
More information about the Python-bugs-list
mailing list