Message 191823 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes, mpb
Date	2013-06-24.23:30:36
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1372116636.93.0.175947007446.issue18293@psf.upfronthosting.co.za>
In-reply-to

Content
I'm setting the version to 3.4 as this is a feature request. 2.7 and 3.3 are in feature freeze mode. OpenSSL doesn't support our idea out of the box. OpenSSL either verifies the peer's certificate and chain or doesn't verify the peer's certificate and chain. Optional and required verification makes only a different for client side certs. Server side certs are always verified in both modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES When you are talking to a server the peer's certificate is always available, even in SSL_VERIFY_NONE mode. The server cert's public key is required to asymmetrically encrypt part of the session key. It's Python's ssl module that doesn't return the cert information in getpeercert() when SSL_CTX_get_verify_mode() doesn't have SSL_VERIFY_PEER. You can still get the DER encoded peer cert with getpeercert(True). Now for something completely different: Without verification and the correct root cert it's not possible to get the root cert of a peer's chain (see issue #18233). AFAIK SSL doesn't provide the full root cert as part of the peer chain because the other side is suppose the have a copy of the chain root anyway. Different story, though.

I'm setting the version to 3.4 as this is a feature request. 2.7 and 3.3 are in feature freeze mode.

OpenSSL doesn't support our idea out of the box. OpenSSL either verifies the peer's certificate and chain or doesn't verify the peer's certificate and chain. Optional and required verification makes only a different for client side certs. Server side certs are always verified in both modes. See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html#NOTES

When you are talking to a server the peer's certificate is always available, even in SSL_VERIFY_NONE mode. The server cert's public key is required to asymmetrically encrypt part of the session key. It's Python's ssl module that doesn't return the cert information in getpeercert() when SSL_CTX_get_verify_mode() doesn't have SSL_VERIFY_PEER. You can still get the DER encoded peer cert with getpeercert(True).

Now for something completely different: Without verification and the correct root cert it's not possible to get the root cert of a peer's chain (see issue #18233). AFAIK SSL doesn't provide the full root cert as part of the peer chain because the other side is suppose the have a copy of the chain root anyway. Different story, though.

History
Date	User	Action	Args
2013-06-24 23:30:36	christian.heimes	set	recipients: + christian.heimes, mpb
2013-06-24 23:30:36	christian.heimes	set	messageid: <1372116636.93.0.175947007446.issue18293@psf.upfronthosting.co.za>
2013-06-24 23:30:36	christian.heimes	link	issue18293 messages
2013-06-24 23:30:36	christian.heimes	create