Re: SSLSocket.getpeercert() doesn't return issuer, serial number, etc

Gustavo Baratto <gbaratto@gmail.com> writes:

> SSL.Socket.getpeercert() doesn't return essential information present in the
> client certificate (issuer, serial number, not before, etc), and it looks it
> is by design:
>
>
>
> http://docs.python.org/library/ssl.h...et.getpeercert
>
> http://hg.python.org/cpython/file/b8...es/_ssl.c#l866
>
>
>
> By deliberately removing all that information, further
> verification/manipulation of the cert becomes impossible.
>
> Revocation lists, OCSP, and any other extra layers of certificate checking
> cannot be done properly without all the information in the cert being
> available.

I agree with you that the information should not be discarded.

> Is there anyway around this?*There should be at least a flag for folks that
> need all the information in the certificate.

You could use the parameter "binary_form=True".
In this case, you get the DER-encoded certificate and can analyse
it with (e.g.) "openssl".