[issue18233] SSLSocket.getpeercertchain()
Kent Watsen
report at bugs.python.org
Thu Jan 30 21:27:10 EST 2020
Kent Watsen <kent+python at watsen.net> added the comment:
It seems that we're talking about the same thing, but I want the cert-chain the peer sent without any smarts, exactly how OpenSSL's SSL_get_peer_cert_chain() works and, importantly, without stapling any root chain certs the client did not send itself (though it's okay if the client did, in which case those certs should be included).
I'm not following your "I pass the chain [A, leaf cert]" comment, if leaf-cert is signed by B, then this should obviously fail. Maybe you meant to say that A and B are loaded into a bag and that validation test is [bag, leaf-cert]?
Regardless, I don't think Python should coddle developers. Assuming the docs are accurate, competent developers with crypto-clue will be fine. Many crypto library docs encourage tourists to stay away. That said, if smarts are wanted, let's choose a name that doesn't overlap with the existing OpenSSL name...get_authed_cert_chain() ?
But, please, can a "peer_cert_chain()" wrapping the OpenSSL call be release ASAP, buying time to ponder the merits of smart calls for another day?
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue18233>
_______________________________________
More information about the Python-bugs-list
mailing list