SSLSocket.getpeercert() doesn't return issuer, serial number, etc

Dieter Maurer dieter at handshake.de
Thu Aug 16 07:24:50 CEST 2012


Gustavo Baratto <gbaratto at gmail.com> writes:

> SSL.Socket.getpeercert() doesn't return essential information present in the
> client certificate (issuer, serial number, not before, etc), and it looks it
> is by design:
>
>
>
> http://docs.python.org/library/ssl.html#ssl.SSLSocket.getpeercert
>
> http://hg.python.org/cpython/file/b878df1d23b1/Modules/_ssl.c#l866
>
>
>
> By deliberately removing all that information, further
> verification/manipulation of the cert becomes impossible.
>
> Revocation lists, OCSP, and any other extra layers of certificate checking
> cannot be done properly without all the information in the cert being
> available.

I agree with you that the information should not be discarded.

> Is there anyway around this? There should be at least a flag for folks that
> need all the information in the certificate.

You could use the parameter "binary_form=True".
In this case, you get the DER-encoded certificate and can analyse
it with (e.g.) "openssl".



More information about the Python-list mailing list