Gustavo Baratto <gbara...@gmail.com> writes: > SSL.Socket.getpeercert() doesn't return essential information present in the > client certificate (issuer, serial number, not before, etc), and it looks it > is by design: > > > > http://docs.python.org/library/ssl.html#ssl.SSLSocket.getpeercert > > http://hg.python.org/cpython/file/b878df1d23b1/Modules/_ssl.c#l866 > > > > By deliberately removing all that information, further > verification/manipulation of the cert becomes impossible. > > Revocation lists, OCSP, and any other extra layers of certificate checking > cannot be done properly without all the information in the cert being > available.
I agree with you that the information should not be discarded. > Is there anyway around this? There should be at least a flag for folks that > need all the information in the certificate. You could use the parameter "binary_form=True". In this case, you get the DER-encoded certificate and can analyse it with (e.g.) "openssl". -- http://mail.python.org/mailman/listinfo/python-list
