Christian Heimes added the comment: >From Rietveld review:
--- http://bugs.python.org/review/18233/diff/8422/Modules/_ssl.c#newcode1203 Modules/_ssl.c:1203: chain = X509_STORE_CTX_get1_chain(store_ctx); This isn't appropriate for this method. Specifically, you are asking for the peer cert chain, which purposefully does not include root CA certs that you trust. What you are giving here a complete validate chain from a peer cert to a trusted root. This is a valuable piece of information, but should be returned via another method (perhaps exposed in python as get1chain in SSLContext). But this method should always return the result of SSL_get_peer_cert_chain if a peer cert chain is available. --- You are making a good point. I'm either going to split it up into two function or provide a way to look up a cert by issuer. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18233> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
