New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a way to get the peer certificate of a SSL Transport #66957
Comments
Currently, the only workaround is to use transport._sock.getpeercert(True) on the Transport returned by loop.create_connection(), which is not something to be encouraged. It is useful to get such information, for example to perform a manual certificate check against a previously recorded certificate or hash. I attached a trivial patch adding an extra 'peercert_bin' info, but I do not know if this is the right approach, as other issues of feature disparity might arise when more people try to switch to asyncio. Exposing a proxy SSLSocket object for read-only functions might be more beneficial. |
Thanks for the patch!
I'm not sure that would make a difference. We still have to implement the proxy SSLSocket, which is no easier than adding the extra info by hand. Or did I misunderstand you? |
The difference would be that exposing methods can be more future-proof, as some methods take parameters (like the offender getpeercert(bool), or get_channel_binding() that takes an element of ssl.CHANNEL_BINDING_TYPES, list that may grow in the future) that need to be covered in the properties. But the API of SSLSocket is stable and small so I don't think it really matters. |
That's a good point. I don't have any strong feelings either way. Perhaps other people want to chime in? As for the patch, it will need to add a unit test as well. |
Maybe transport.get_extra_info('socket').getpeercert(True) would be okay, no patch needed? On Thu, Oct 30, 2014 at 11:56 AM, Antoine Pitrou <report@bugs.python.org>
|
Thanks, that indeed works; I don't know why I missed it while reading the source. Maybe the docs could use some clarification, though? (users are not supposed to know that _SelectorTransport is subclassed by _SelectorSslTransport, which thus gets the extra info of both) |
That will be problematic with bpo-22560. The clear-text socket object and the SSL object become unrelated, and it would be logical for get_extra_info('socket') to return the clear-text socket, so either a get_extra_info('ssl') would be needed, or we should expose the SSL properties directly as extra info members. |
Ok, it looks like we can close the issue.
In this case, it should be discussed there. |
In Python 3.5, it's no more possible to get the peer certificate as binary. See the issue bpo-25114 for a general fix. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: