mpb added the comment: Christian wrote: > sslsocket gives you access to the peer's cert and chain (with > #18233).
Very interesting (and useful). I've mostly been working with Python 2.7, and I had not fully noticed that Python 3.2+ has a ssl.SSLContext class. > I'd rather not implement a full wrapper for X509_STORE_CTX and X509 > certs. It's way too much code, super complex and easily confuses even > experienced developers. Python's ssl module is limited to core > functionality by design and choice. > However I might be intrigue to implement support for > SSL_CTX_set_cert_verify_callback() or SSL_CTX_set_verify(). SSL_CTX_set_verify() seems (mostly) redundant SSLContext.verify_mode. Or am I missing something? > SSL_CTX_set_cert_verify_callback() has more potential, e.g. > > def cert_verify_callback(sslsocket, storectx, verify_ok): > context = sslsocket.context > > storectx is a minimal X509_STORE_CTX object and verify_ok the boolean > return value of X509_verify_cert(). Without a cert verify callback > OpenSSL just uses the return value of X509_verify_cert() > (ssl/ssl_cert.c:ssl_verify_cert_chain()). I believe support for SSL_CTX_set_cert_verify_callback() would allow customized certificate verification, which is what I am looking for. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18293> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
