This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Client certificates with UniqueIdentifier in the subject break ssl.peer_certificate()
Type: behavior Stage: patch review
Components: SSL Versions: Python 3.11, Python 3.10, Python 3.9
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: christian.heimes, kacper, miss-islington, xiaox55066
Priority: normal Keywords: patch

Created on 2022-01-02 22:03 by kacper, last changed 2022-04-11 14:59 by admin.

Pull Requests
URL Status Linked Edit
PR 30351 merged christian.heimes, 2022-01-03 08:50
PR 31454 merged miss-islington, 2022-02-20 20:42
Messages (3)
msg409532 - (view) Author: Kacper (kacper) Date: 2022-01-02 22:03
Currently all subject sets of a client certificate are treated as UTF8 strings using the ASN1_STRING_to_UTF8 function (, however RFC 5280 states that the UniqueIdentifier is of type BIT STRING. Passing a BIT STRING into the ASN1_STRING_to_UTF8 function seems to return -1 and subsequently fail a SSL handshake.

Traceback (most recent call last):
  File "/usr/lib64/python3.6/asyncio/", line 145, in _run
  File "/usr/lib64/python3.6/site-packages/tornado/platform/", line 138, in _handle_events
    handler_func(fileobj, events)
  File "/usr/lib64/python3.6/site-packages/tornado/", line 702, in _handle_events
  File "/usr/lib64/python3.6/site-packages/tornado/", line 1471, in _handle_read
  File "/usr/lib64/python3.6/site-packages/tornado/", line 1431, in _do_ssl_handshake
    if not self._verify_cert(self.socket.getpeercert()):
  File "/usr/lib64/python3.6/", line 860, in getpeercert
    return self._sslobj.getpeercert(binary_form)
  File "/usr/lib64/python3.6/", line 610, in getpeercert
    return self._sslobj.peer_certificate(binary_form)
ssl.SSLError: unknown error (_ssl.c:959)

(line 959 of _ssl.c corresponds to might be of interest for further discussion.
msg413609 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2022-02-20 20:42
New changeset be095f6c32188bba02079d086ac8639ea37cec3c by Christian Heimes in branch 'main':
bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)
msg413641 - (view) Author: miss-islington (miss-islington) Date: 2022-02-21 09:37
New changeset 633d0f90f933515a9fca21a38cf87a8baf8ddc7d by Miss Islington (bot) in branch '3.10':
bpo-46232: Fix parsing of certs with bit string in DN (GH-30351)
Date User Action Args
2022-04-11 14:59:54adminsetgithub: 90390
2022-02-21 21:18:45ned.deilysetmessages: - msg413642
2022-02-21 09:59:19xiaox55066setnosy: + xiaox55066
messages: + msg413642
2022-02-21 09:37:46miss-islingtonsetmessages: + msg413641
2022-02-20 20:42:47miss-islingtonsetnosy: + miss-islington
pull_requests: + pull_request29582
2022-02-20 20:42:42christian.heimessetmessages: + msg413609
2022-01-03 08:50:14christian.heimessetkeywords: + patch
stage: patch review
pull_requests: + pull_request28564
2022-01-03 07:55:44christian.heimessetassignee: christian.heimes ->
versions: - Python 3.6, Python 3.7, Python 3.8
2022-01-02 22:03:19kacpercreate