Christian Heimes added the comment: Python uses serverAuth and clientAuth in the exact same meaning as EKU (extended key usage). In order to create X.509 cert for a web server, it should have EKU "SSL/TLS Web Server Authentication". On the other hand a client must validate the cert for a specific purpose, too. So the client creates a context with purpose SERVER_AUTH. This loads only trust anchors which are flagged with EKU "SSL/TLS Web Server Authentication".
For TLS/SSL server it is the other way around. The server side uses a context with CLIENT_AUTH to load only root certs that can validate client certs. Other purposes aren't supported because Python's ssl does neither support S/MIME nor code signing. https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_default_certs explains the purpose flags, too. ---------- nosy: +christian.heimes _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue24516> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
