➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2014-11-14 18:03 by nagle, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Messages (3) | |||
|---|---|---|---|
| msg231166 - (view) | Author: John Nagle (nagle) | Date: 2014-11-14 18:03 | |
In each revision of "getpeercert", a few more fields are returned. Python 3.2 added "issuer" and "notBefore". Python 3.4 added "crlDistributionPoints", "caIssuers", and OCSP URLS. But some fields
still aren't returned. I happen to need CertificatePolicies, which is how you distinguish DV, OV, and EV certs.
Here's what you get now from "getpeercert()" for "bankofamerica.com":
{'OCSP': ('http://EVSecure-ocsp.verisign.com',),
'caIssuers': ('http://EVSecure-aia.verisign.com/EVSecure2006.cer',),
'crlDistributionPoints':
('http://EVSecure-crl.verisign.com/EVSecure2006.crl',),
'issuer': ((('countryName', 'US'),),
(('organizationName', 'VeriSign, Inc.'),),
(('organizationalUnitName', 'VeriSign Trust Network'),),
(('organizationalUnitName',
'Terms of use at https://www.verisign.com/rpa (c)06'),),
(('commonName', 'VeriSign Class 3 Extended Validation SSL
CA'),)),
'notAfter': 'Mar 22 23:59:59 2015 GMT',
'notBefore': 'Feb 20 00:00:00 2014 GMT',
'serialNumber': '69A7BC85C106DDE1CF4FA47D5ED813DC',
'subject': ((('1.3.6.1.4.1.311.60.2.1.3', 'US'),),
(('1.3.6.1.4.1.311.60.2.1.2', 'Delaware'),),
(('businessCategory', 'Private Organization'),),
(('serialNumber', '2927442'),),
(('countryName', 'US'),),
(('postalCode', '60603'),),
(('stateOrProvinceName', 'Illinois'),),
(('localityName', 'Chicago'),),
(('streetAddress', '135 S La Salle St'),),
(('organizationName', 'Bank of America Corporation'),),
(('organizationalUnitName', 'Network Infrastructure'),),
(('commonName', 'www.bankofamerica.com'),)),
'subjectAltName': (('DNS', 'mobile.bankofamerica.com'),
('DNS', 'www.bankofamerica.com')),
'version': 3}
Missing fields (from Firefox's view of the cert) include:
Certificate Policies:
2.16.840.1.113733.1.7.23.6:
Extended Validation (EV) SSL Server Certificate
Certification Practice Statement pointer: https://www.verisign.com/cps
(This tells you it's a valid EV cert).
Certificate Basic Constraints:
Is not a Certificate Authority
(which means they can't issue more certs below this one)
Extended Key Usage:
TLS Web Server Authentication (1.3.6.1.5.5.7.3.1)
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
(which means this cert is for web use, not email or code signing)
How about just returning ALL the remaining fields and finishing the job, so this doesn't have to be fixed again? Thanks.
|
|||
| msg231198 - (view) | Author: Antoine Pitrou (pitrou) *  |
Date: 2014-11-15 00:59 | |
> How about just returning ALL the remaining fields and finishing the > job, so this doesn't have to be fixed again? Thanks. Please learn some respect. You are not here to tell volunteers what they should work on. And if you want to see things sped up, you can submit a patch. |
|||
| msg231202 - (view) | Author: John Nagle (nagle) | Date: 2014-11-15 03:51 | |
May be a duplicate of Issue 204679: "ssl.getpeercert() should include extensions" http://bugs.python.org/issue20469 |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:10 | admin | set | github: 67062 |
| 2016-04-18 17:40:06 | berker.peksag | set | status: open -> closed superseder: ssl.getpeercert() should include extensions resolution: duplicate stage: resolved |
| 2015-07-21 07:43:34 | ethan.furman | set | nosy:
- ethan.furman |
| 2014-11-15 03:51:45 | nagle | set | messages: + msg231202 |
| 2014-11-15 00:59:57 | pitrou | set | messages: + msg231198 |
| 2014-11-14 18:19:26 | ethan.furman | set | nosy:
+ ethan.furman |
| 2014-11-14 18:04:15 | alex | set | nosy:
+ janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft |
| 2014-11-14 18:03:26 | nagle | create | |