Issue 20469: ssl.getpeercert() should include extensions (original) (raw)

Created on 2014-02-01 00:08 by oninoshiko, last changed 2022-04-11 14:57 by admin. This issue is now closed.

Messages (5)
msg209850 - (view)	Author: A Hettinger (oninoshiko)	Date: 2014-02-01 00:08
I have crafted an ssl cert which contains a custom extension, when I check the cert using OpenSSL on the commandline, I clearly see the extension, but when I have the server try to pprint.pprint(s.getpeercert()), I do not see these fields. Overall, I think it would be helpful to include extensions in ssl.getpeercert()'s returned list, but if there is a workaround for this (probably rare) issue, I would appreciate it. (I have only tested 3.4, not head)
msg214769 - (view)	Author: Terry J. Reedy (terry.reedy) *	Date: 2014-03-25 00:11
If you can, write test code that fails now and indicate what success would look like. It can start as a separate file rather than a patch to test_ssl. It does not have to use unittest, though that would be helpful.
msg214770 - (view)	Author: Antoine Pitrou (pitrou) *	Date: 2014-03-25 00:20
The ssl module doesn't return all cert contents simply because it isn't easy to do so, or at least AFAICT it isn't. If you look at _decode_certificate() in Modules/_ssl.c you'll see the kind of code that is needed for the few fields that Python currently returns :-)
msg214875 - (view)	Author: A Hettinger (oninoshiko)	Date: 2014-03-26 01:19
The specific thing I'm interested in is the custom extension "1.3.6.1.4.43167.0.0", but all of the X509 data should be imported. Client shows both the openssl and python outputs. I would expect anything the ssl system doesn't explicitly know what to do with, it makes available to me.
msg275029 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2016-09-08 14:53
We cannot support arbitrary extensions. If you need special extension, then you have to get the raw DER cert and use some library like pyasn1 to parse the cert yourself. PyCA cryptography might help you with that, too.