Issue 13288: SSL module doesn't allow access to cert issuer information (original) (raw)

The SSL module still doesn't return much information from the certificate. SSLSocket.getpeercert only returns a few basic items about the certificate subject. You can't retrieve issuer information, and you can't get the extensions needed to check if a cert is an EV cert.

With the latest flaps about phony cert issuers, (another CA compromise hit the news today) it's worth having issuer info available. It was available in the old M2Crypto module, but not in the current Python SSL module.

                            John Nagle

It's available in 3.3:

ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1) ctx.verify_mode = ssl.CERT_REQUIRED ctx.set_default_verify_paths() with ctx.wrap_socket(socket.socket()) as sock: ... sock.connect(("svn.python.org", 443)) ... cert = sock.getpeercert() ... pprint.pprint(cert) {'issuer': ((('organizationName', 'Root CA'),), (('organizationalUnitName', 'http://www.cacert.org'),), (('commonName', 'CA Cert Signing Authority'),), (('emailAddress', 'support@cacert.org'),)), 'notAfter': 'Jan 9 20:50:13 2012 GMT', 'notBefore': 'Jan 9 20:50:13 2010 GMT', 'serialNumber': '0806E3', 'subject': ((('commonName', 'svn.python.org'),),), 'subjectAltName': (('DNS', 'svn.python.org'), ('othername', '')), 'version': 3}