Message 216976 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	samv
Recipients	christian.heimes, docs@python, dstufft, pitrou, samv
Date	2014-04-22.00:14:17
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1398125658.05.0.461169474156.issue18617@psf.upfronthosting.co.za>
In-reply-to

Content
Perhaps the simplest thing here is to add a standard verify callback that catches verification errors, and returns the parsed server certificate as an attribute of the raised exception object. From python, the exception can be caught and then the certificate data info used to fetch the intermediate certificate, and pass it into SSLContext.load_verify_locations(). This would force an extra client connection, but be less insane than trying to fetch and return the certificate from inside the SSL_CTX_set_verify() callback IMHO. Does that sound workable? Any hints for a would-be drive-by patcher?

Perhaps the simplest thing here is to add a standard verify callback that catches verification errors, and returns the parsed server certificate as an attribute of the raised exception object.  From python, the exception can be caught and then the certificate data info used to fetch the intermediate certificate, and pass it into SSLContext.load_verify_locations().

This would force an extra client connection, but be less insane than trying to fetch and return the certificate from inside the SSL_CTX_set_verify() callback IMHO.

Does that sound workable?  Any hints for a would-be drive-by patcher?

History
Date	User	Action	Args
2014-04-22 00:14:19	samv	set	recipients: + samv, pitrou, christian.heimes, docs@python, dstufft
2014-04-22 00:14:18	samv	set	messageid: <1398125658.05.0.461169474156.issue18617@psf.upfronthosting.co.za>
2014-04-22 00:14:17	samv	link	issue18617 messages
2014-04-22 00:14:17	samv	create