Thanks Jason,

With a more specific error message raised by github latest code [thanks!] the problem became clear.
I suggest to change the documentation of 'optionsForClientTLS' -

ctx = ssl.optionsForClientTLS(hostName, trustRoot=root, clientCertificate=mycert)

ctx = ssl.optionsForClientTLS(commonName, trustRoot=root, clientCertificate=mycert)

That is, what this ctx (the contextFactory) really expects is the server's certificate commonName which often is, but not in my case, the server's hostName.

Interestingly, Python's standard ssl package does not verify this field.

Regards, Enoch.

On 10/26/2017 01:13 AM, Jason Litzinger wrote:
On Wed, Oct 25, 2017 at 08:07:26PM +0000, Enoch W. wrote:
A known bug?
Hello Enoch,
A question, does the server have an intermediate cert that it is using?  
If so, then the problem might be that your trust root needs both the CA 
and intermediate.

I have some https test code I hacked together a while back (neither
reviewed nor heavily tested, but same general idea).

If I omit the intermediate cert I get the same error.


Twisted-Python mailing list