Yep, it looks like you're on the right track. I'll close this bug.
Bill
Ruben Kerkhof <ruben@rubenkerkhof.com> added the comment:
Hi Bill,
When I include the server certificate in ca_certs, verification
succeeds, and I can view the peer certificate dict with getpeercert(False)
When I set ca_certs to none and ssl.CERT_NONE, I can still call
getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM
certificate.
SSL is all new to me, so forgive me if I talk nonsense, but what I'm
trying to do is the following:
I receive a key from Bob which is a digest of his servers certificate.
To make sure I'm really talking to Bob I need to decrypt his servers
signature with his public key and check the resulting digest against my
key. So I have to ignore failures like
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like
X509_V_ERR_CERT_SIGNATURE_FAILURE.
The idea is based on what foolscap is doing with FURLS
(http://foolscap.lothar.com/trac)
Am I making sense?
__________________________________
Tracker <report@bugs.python.org>
<http://bugs.python.org/issue2838>
__________________________________