This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients asmodai, chet, christian.heimes, dsoprea, dstufft, jcea, maker, miki725, mmasztalerczuk, pitrou, underrun
Date 2017-05-12.21:45:01
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
The ticket is dead for a very good reason. Past me was not clever enough and didn't know about the difference between the cert chain sent by the peer and the actual trust chain. The peer's cert chain is not trustworthy and must *only* be used to build the actual trust chain. X.509 chain trust chain construction is a tricky business.

Although I thought that peer cert chain is a useful piece of information, it is also dangerous. It's simply not trustworthy. In virtually all cases you want to know the chain of certificates that leads from a local trust anchor to the end-entity cert. In most cases it just happens to be the same (excluding root CA). But that's not reliable.
Date User Action Args
2017-05-12 21:45:01christian.heimessetrecipients: + christian.heimes, jcea, pitrou, asmodai, maker, underrun, dstufft, dsoprea, miki725, mmasztalerczuk, chet
2017-05-12 21:45:01christian.heimessetmessageid: <>
2017-05-12 21:45:01christian.heimeslinkissue18233 messages
2017-05-12 21:45:01christian.heimescreate