classification
Title: ssl.getpeercert() should include extensions
Type: enhancement Stage: needs patch
Components: Extension Modules Versions: Python 3.5
process
Status: closed Resolution: wont fix
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, giampaolo.rodola, janssen, oninoshiko, pitrou, terry.reedy
Priority: normal Keywords:

Created on 2014-02-01 00:08 by oninoshiko, last changed 2016-09-08 14:53 by christian.heimes. This issue is now closed.

Files
File name Uploaded Description Edit
Client.py oninoshiko, 2014-03-26 01:02 test client
Server.py oninoshiko, 2014-03-26 01:02 test server
cert.pem oninoshiko, 2014-03-26 01:03 test cert
Messages (5)
msg209850 - (view) Author: A Hettinger (oninoshiko) Date: 2014-02-01 00:08
I have crafted an ssl cert which contains a custom extension, when I check the cert using OpenSSL on the commandline, I clearly see the extension, but when I have the server try to pprint.pprint(s.getpeercert()), I do not see these fields.

Overall, I think it would be helpful to include extensions in ssl.getpeercert()'s returned list, but if there is a workaround for this (probably rare) issue, I would appreciate it.

(I have only tested 3.4, not head)
msg214769 - (view) Author: Terry J. Reedy (terry.reedy) * (Python committer) Date: 2014-03-25 00:11
If you can, write test code that fails now and indicate what success would look like. It can start as a separate file rather than a patch to test_ssl. It does not have to use unittest, though that would be helpful.
msg214770 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-03-25 00:20
The ssl module doesn't return all cert contents simply because it isn't easy to do so, or at least AFAICT it isn't. If you look at _decode_certificate() in Modules/_ssl.c you'll see the kind of code that is needed for the few fields that Python currently returns :-)
msg214875 - (view) Author: A Hettinger (oninoshiko) Date: 2014-03-26 01:19
The specific thing I'm interested in is the custom extension "1.3.6.1.4.43167.0.0", but all of the X509 data should be imported.

Client shows both the openssl and python outputs. I would expect anything the ssl system doesn't explicitly know what to do with, it makes available to me.
msg275029 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-08 14:53
We cannot support arbitrary extensions. If you need special extension, then you have to get the raw DER cert and use some library like pyasn1 to parse the cert yourself. PyCA cryptography might help you with that, too.
History
Date User Action Args
2016-09-08 14:53:32christian.heimessetstatus: open -> closed
resolution: wont fix
messages: + msg275029
2016-04-18 17:40:06berker.peksaglinkissue22873 superseder
2014-03-26 01:19:40oninoshikosetmessages: + msg214875
2014-03-26 01:03:19oninoshikosetfiles: + cert.pem
2014-03-26 01:02:57oninoshikosetfiles: + Server.py
2014-03-26 01:02:45oninoshikosetfiles: + Client.py
2014-03-25 00:20:44pitrousetmessages: + msg214770
2014-03-25 00:18:41pitrousetstage: test needed -> needs patch
2014-03-25 00:11:58terry.reedysetnosy: + terry.reedy

messages: + msg214769
stage: test needed
2014-02-01 01:42:27pitrousetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes

versions: + Python 3.5, - Python 3.4
2014-02-01 00:09:12oninoshikosettype: enhancement
2014-02-01 00:08:42oninoshikocreate