This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author kwatsen
Recipients Hiroaki.Kawai, asmodai, chaen, chet, chrisburr, christian.heimes, dsoprea, dstufft, jcea, joernheissler, kwatsen, maker, miki725, mmasztalerczuk, njs, pitrou, underrun
Date 2020-01-31.02:27:09
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
It seems that we're talking about the same thing, but I want the cert-chain the peer sent without any smarts, exactly how OpenSSL's SSL_get_peer_cert_chain() works and, importantly, without stapling any root chain certs the client did not send itself (though it's okay if the client did, in which case those certs should be included).

I'm not following your "I pass the chain [A, leaf cert]" comment, if leaf-cert is signed by B, then this should obviously fail.  Maybe you meant to say that A and B are loaded into a bag and that validation test is [bag, leaf-cert]?

Regardless, I don't think Python should coddle developers.  Assuming the docs are accurate, competent developers with crypto-clue will be fine.  Many crypto library docs encourage tourists to stay away.   That said, if smarts are wanted, let's choose a name that doesn't overlap with the existing OpenSSL name...get_authed_cert_chain() ?

But, please, can a "peer_cert_chain()" wrapping the OpenSSL call be release ASAP, buying time to ponder the merits of smart calls for another day?
Date User Action Args
2020-01-31 02:27:10kwatsensetrecipients: + kwatsen, jcea, pitrou, christian.heimes, asmodai, njs, maker, Hiroaki.Kawai, underrun, dstufft, dsoprea, miki725, mmasztalerczuk, chet, joernheissler, chaen, chrisburr
2020-01-31 02:27:10kwatsensetmessageid: <>
2020-01-31 02:27:10kwatsenlinkissue18233 messages
2020-01-31 02:27:09kwatsencreate