Mailing List Archive: Python: Python

SSLSocket.getpeercert() doesn't return issuer, serial number, etc

Index | Next | Previous | View Threaded

gbaratto at gmail

Aug 15, 2012, 6:57 PM

Post #1 of 4 (177 views)
Permalink

SSLSocket.getpeercert() doesn't return issuer, serial number, etc

Hello there,

SSL.Socket.getpeercert() doesn't return essential information present in
the client certificate (issuer, serial number, not before, etc), and it
looks it is by design:

http://docs.python.org/library/ssl.html#ssl.SSLSocket.getpeercert
http://hg.python.org/cpython/file/b878df1d23b1/Modules/_ssl.c#l866

By deliberately removing all that information, further
verification/manipulation of the cert becomes impossible.
Revocation lists, OCSP, and any other extra layers of certificate checking
cannot be done properly without all the information in the cert being
available.

Is there anyway around this? There should be at least a flag for folks that
need all the information in the certificate.

Thanks!
g.

dieter at handshake

Aug 15, 2012, 10:24 PM

Post #2 of 4 (163 views)
Permalink

Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc [In reply to]

Gustavo Baratto <gbaratto [at] gmail> writes:

> SSL.Socket.getpeercert() doesn't return essential information present in the
> client certificate (issuer, serial number, not before, etc), and it looks it
> is by design:
>
>
>
> http://docs.python.org/library/ssl.html#ssl.SSLSocket.getpeercert
>
> http://hg.python.org/cpython/file/b878df1d23b1/Modules/_ssl.c#l866
>
>
>
> By deliberately removing all that information, further
> verification/manipulation of the cert becomes impossible.
>
> Revocation lists, OCSP, and any other extra layers of certificate checking
> cannot be done properly without all the information in the cert being
> available.

I agree with you that the information should not be discarded.

> Is there anyway around this? There should be at least a flag for folks that
> need all the information in the certificate.

You could use the parameter "binary_form=True".
In this case, you get the DER-encoded certificate and can analyse
it with (e.g.) "openssl".

--
http://mail.python.org/mailman/listinfo/python-list

solipsis at pitrou

Aug 16, 2012, 4:48 AM

Post #3 of 4 (161 views)
Permalink

Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc [In reply to]

Hello,

Gustavo Baratto <gbaratto <at> gmail.com> writes:
>
> SSL.Socket.getpeercert() doesn't return essential information present in the
> client certificate (issuer, serial number, not before, etc), and it looks it is
> by design:

It does, in Python 3.2:
http://docs.python.org/py3k/library/ssl.html#client-side-operation

(although the getpeercert() doc should be updated to reflect this)

If some information is still lacking from the returned value, please open an
issue at http://bugs.python.org

Regards

Antoine.

--
Software development and contracting: http://pro.pitrou.net

--
http://mail.python.org/mailman/listinfo/python-list

gbaratto at gmail

Aug 17, 2012, 12:12 PM

Post #4 of 4 (162 views)
Permalink

Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc [In reply to]

Awesome guys! Thank you very much!

I ended up using "binary_form=True" and using M2Crypto to parse the cert.

Cheers,
g.

On Thu, Aug 16, 2012 at 4:48 AM, Antoine Pitrou <solipsis [at] pitrou> wrote:

>
> Hello,
>
> Gustavo Baratto <gbaratto <at> gmail.com> writes:
> >
> > SSL.Socket.getpeercert() doesn't return essential information present in
> the
> > client certificate (issuer, serial number, not before, etc), and it
> looks it is
> > by design:
>
> It does, in Python 3.2:
> http://docs.python.org/py3k/library/ssl.html#client-side-operation
>
> (although the getpeercert() doc should be updated to reflect this)
>
> If some information is still lacking from the returned value, please open
> an
> issue at http://bugs.python.org
>
> Regards
>
> Antoine.
>
>
> --
> Software development and contracting: http://pro.pitrou.net
>
>
> --
> http://mail.python.org/mailman/listinfo/python-list
>

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads