Obtaining SSL certificate info from SSL object - BUG?
John Nagle
nagle at animats.com
Tue Oct 24 00:03:02 EDT 2006
The Python SSL object offers two methods from obtaining
the info from an SSL certificate, "server()" and "issuer()".
The actual values in the certificate are a series of name/value
pairs in ASN.1 binary format. But what "server()" and "issuer()"
return are strings, with the pairs separated by "/". The
documentation at "http://docs.python.org/lib/ssl-objects.html"
says "Returns a string containing the ASN.1 distinguished name identifying the
server's certificate. (See below for an example showing what distinguished names
look like.)" There is, however, no "below".
What you actually get back looks like this, which is Google's certificate:
"/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com"
So, no problem; just split on "/", right?
Unfortunately, "/" is a legal character in certificate values.
Worse, this isn't just a theoretical problem. Verisign's issuer
information reads:
"/O=VeriSign Trust Network/OU=VeriSign, Inc./OU=VeriSign International
Server CA - Class 3/OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign".
Note that
"OU=Terms of use at www.verisign.com/rpa (c)00"
with a "/" in the middle of the value field. So you hit this
problem on every cert issued by Verisign. Oops.
Nor does there seem to be a way to get at the certificate itself
from within Python. There was some discussion of this in 2002 at
http://groups.google.com/group/comp.lang.python/browse_frm/thread/a91a4e1c0f4e03c4/eec124c606f56c0b?lnk=gst&q=socket+ssl+issuer&rnum=4#eec124c606f56c0b
when someone wrote: "Furthermore, while the server and issuer are exposed
through undocumented attributes, the server_cert is not. So there is no way to
validate the cert manually, short of rewriting socketmodule.c. This is one case
where the batteries included have been sitting on the shelf too long."
Clearly, "server()" and "issuer()" should return lists, not strings. That
would resolve the ambiguity. ASN.1 is a representation for lists, and
hammering those lists into strings loses information.
Is there a workaround for this? Without rebuilding Python
and becoming incompatible?
John Nagle
Animats
More information about the Python-list
mailing list