Author christian.heimes
Recipients christian.heimes, docs@python, messa
Date 2015-06-26.13:29:40
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Python uses serverAuth and clientAuth in the exact same meaning as EKU (extended key usage). In order to create X.509 cert for a web server, it should have EKU "SSL/TLS Web Server Authentication". On the other hand a client must validate the cert for a specific purpose, too. So the client creates a context with purpose SERVER_AUTH. This loads only trust anchors which are flagged with EKU "SSL/TLS Web Server Authentication".

For TLS/SSL server it is the other way around. The server side uses a context with CLIENT_AUTH to load only root certs that can validate client certs. Other purposes aren't supported because Python's ssl does neither support S/MIME nor code signing. explains the purpose flags, too.
Date User Action Args
2015-06-26 13:29:40christian.heimessetrecipients: + christian.heimes, docs@python, messa
2015-06-26 13:29:40christian.heimessetmessageid: <>
2015-06-26 13:29:40christian.heimeslinkissue24516 messages
2015-06-26 13:29:40christian.heimescreate