This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: ssl.SSLSocket.getpeercert does not return client certificate
Type: behavior Stage: resolved
Components: Documentation, Library (Lib) Versions: Python 3.3, Python 3.4, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: docs@python Nosy List: Flimm, docs@python, pitrou, python-dev
Priority: normal Keywords:

Created on 2013-04-15 15:14 by Flimm, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
test.tar.gz Flimm, 2013-04-15 15:14 Test case (just run test.py)
Messages (5)
msg186999 - (view) Author: David D Lowe (Flimm) Date: 2013-04-15 15:14
The documentation for ssl.SSLSocket.getpeercert states:

> If the binary_form parameter is True, and a certificate was provided, this method returns the DER-encoded form of the entire certificate as a sequence of bytes, or None if the peer did not provide a certificate. This return value is independent of validation; if validation was required (CERT_OPTIONAL or CERT_REQUIRED), it will have been validated, but if CERT_NONE was used to establish the connection, the certificate, if present, will not have been validated.

However, in the case that validation is not required, getpeercert does not return a certificate, even when binary_form is set to True.
msg187032 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-04-15 21:13
Thanks for reporting this. This is a documentation issue. As stated in the OpenSSL docs:

"Due to the protocol definition, a TLS/SSL server will always send a certificate, if present. A client will only send a certificate when explicitly requested to do so by the server (see SSL_CTX_set_verify(3))."

(Note that you can use CERT_OPTIONAL on the server. This will let through clients without a certificate, but will reject clients with an invalid certificate.)
msg187108 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2013-04-16 18:27
New changeset 8dffb76faacc by Antoine Pitrou in branch '2.7':
Issue #17739: fix the description of SSLSocket.getpeercert(binary_form=True) for server sockets.
http://hg.python.org/cpython/rev/8dffb76faacc
msg187109 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2013-04-16 18:28
New changeset 908f1a61b907 by Antoine Pitrou in branch '3.3':
Issue #17739: fix the description of SSLSocket.getpeercert(binary_form=True) for server sockets.
http://hg.python.org/cpython/rev/908f1a61b907

New changeset 537c1f1ab53c by Antoine Pitrou in branch 'default':
Issue #17739: fix the description of SSLSocket.getpeercert(binary_form=True) for server sockets.
http://hg.python.org/cpython/rev/537c1f1ab53c
msg187110 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2013-04-16 18:29
I have now fixed the documentation. Thank you!
History
Date User Action Args
2022-04-11 14:57:44adminsetgithub: 61939
2013-04-16 18:29:25pitrousetstatus: open -> closed
versions: - Python 3.2
messages: + msg187110

resolution: fixed
stage: needs patch -> resolved
2013-04-16 18:28:49python-devsetmessages: + msg187109
2013-04-16 18:27:31python-devsetnosy: + python-dev
messages: + msg187108
2013-04-15 21:13:14pitrousetassignee: docs@python
components: + Documentation
versions: + Python 3.3, Python 3.4
nosy: + docs@python, pitrou

messages: + msg187032
stage: needs patch
2013-04-15 15:14:54Flimmcreate