Message 206423 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	Arfrever, christian.heimes, pitrou
Date	2013-12-17.12:03:39
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<52B03D99.2070101@cheimes.de>
In-reply-to	<1387277298.88.0.881484288286.issue20000@psf.upfronthosting.co.za>

Content
> Interesting. Is it because of the way you implemented get_ca_certs()? Yes, it's the line http://hg.python.org/cpython/file/b78de8029606/Modules/_ssl.c#l3103 that skips all certs that are not recognized as CA certs. I wasn't aware that OpenSSL supports self-signed certs that way. > Can you explain? What does "check_ca" mean? The return value of X509_check_ca(). http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/x509v3/v3_purp.c;h=6c40c7dfc318e4b46fc20d38581ad3656e344b5e;hb=HEAD#l517

> Interesting. Is it because of the way you implemented get_ca_certs()?

Yes, it's the line

  http://hg.python.org/cpython/file/b78de8029606/Modules/_ssl.c#l3103

that skips all certs that are not recognized as CA certs. I wasn't aware
that OpenSSL supports self-signed certs that way.

> Can you explain? What does "check_ca" mean?

The return value of X509_check_ca().

http://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/x509v3/v3_purp.c;h=6c40c7dfc318e4b46fc20d38581ad3656e344b5e;hb=HEAD#l517

History
Date	User	Action	Args
2013-12-17 12:03:40	christian.heimes	set	recipients: + christian.heimes, pitrou, Arfrever
2013-12-17 12:03:40	christian.heimes	link	issue20000 messages
2013-12-17 12:03:39	christian.heimes	create