SSLSocket.getpeercert() doesn't return issuer, serial number, etc
dieter at handshake.de
Thu Aug 16 07:24:50 CEST 2012
Gustavo Baratto <gbaratto at gmail.com> writes:
> SSL.Socket.getpeercert() doesn't return essential information present in the
> client certificate (issuer, serial number, not before, etc), and it looks it
> is by design:
> By deliberately removing all that information, further
> verification/manipulation of the cert becomes impossible.
> Revocation lists, OCSP, and any other extra layers of certificate checking
> cannot be done properly without all the information in the cert being
I agree with you that the information should not be discarded.
> Is there anyway around this? There should be at least a flag for folks that
> need all the information in the certificate.
You could use the parameter "binary_form=True".
In this case, you get the DER-encoded certificate and can analyse
it with (e.g.) "openssl".
More information about the Python-list