Yep, it looks like you&#39;re on the right track.&nbsp; I&#39;ll close this bug.<br><br>Bill<br><br><div class="gmail_quote">On Wed, May 14, 2008 at 12:51 PM, Ruben Kerkhof &lt;<a href="mailto:report@bugs.python.org">report@bugs.python.org</a>&gt; wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><br>
Ruben Kerkhof &lt;<a href="mailto:ruben@rubenkerkhof.com">ruben@rubenkerkhof.com</a>&gt; added the comment:<br>
<br>
Hi Bill,<br>
<br>
When I include the server certificate in ca_certs, verification<br>
succeeds, and I can view the peer certificate dict with getpeercert(False)<br>
<br>
When I set ca_certs to none and ssl.CERT_NONE, I can still call<br>
getpeercert(True) and call DER_cert_to_PEM_cert to get the same PEM<br>
certificate.<br>
<br>
SSL is all new to me, so forgive me if I talk nonsense, but what I&#39;m<br>
trying to do is the following:<br>
<br>
I receive a key from Bob which is a digest of his servers certificate.<br>
To make sure I&#39;m really talking to Bob I need to decrypt his servers<br>
signature with his public key and check the resulting digest against my<br>
key. So I have to ignore failures like<br>
X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT and<br>
X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN, but detect things like<br>
X509_V_ERR_CERT_SIGNATURE_FAILURE.<br>
<br>
The idea is based on what foolscap is doing with FURLS<br>
(<a href="http://foolscap.lothar.com/trac" target="_blank">http://foolscap.lothar.com/trac</a>)<br>
<br>
Am I making sense?<br>
<div><div></div><div class="Wj3C7c"><br>
__________________________________<br>
Tracker &lt;<a href="mailto:report@bugs.python.org">report@bugs.python.org</a>&gt;<br>
&lt;<a href="http://bugs.python.org/issue2838" target="_blank">http://bugs.python.org/issue2838</a>&gt;<br>
__________________________________<br>
</div></div></blockquote></div><br>