Message193424
From Rietveld review:
---
http://bugs.python.org/review/18233/diff/8422/Modules/_ssl.c#newcode1203
Modules/_ssl.c:1203: chain = X509_STORE_CTX_get1_chain(store_ctx);
This isn't appropriate for this method. Specifically, you are asking for
the peer cert chain, which purposefully does not include root CA certs
that you trust. What you are giving here a complete validate chain from
a peer cert to a trusted root. This is a valuable piece of information,
but should be returned via another method (perhaps exposed in python as
get1chain in SSLContext). But this method should always return the
result of SSL_get_peer_cert_chain if a peer cert chain is available.
---
You are making a good point. I'm either going to split it up into two function or provide a way to look up a cert by issuer. |
|
Date |
User |
Action |
Args |
2013-07-20 23:42:20 | christian.heimes | set | recipients:
+ christian.heimes, jcea, maker, underrun |
2013-07-20 23:42:20 | christian.heimes | set | messageid: <1374363740.42.0.451855636599.issue18233@psf.upfronthosting.co.za> |
2013-07-20 23:42:20 | christian.heimes | link | issue18233 messages |
2013-07-20 23:42:19 | christian.heimes | create | |
|