Dustin Oprea added the comment: Thanks for expounding on this, Christian. Assuming your assertions are correct, this makes perfect sense.
Can anyone listening close this? On May 12, 2017 17:45, "Christian Heimes" <rep...@bugs.python.org> wrote: Christian Heimes added the comment: The ticket is dead for a very good reason. Past me was not clever enough and didn't know about the difference between the cert chain sent by the peer and the actual trust chain. The peer's cert chain is not trustworthy and must *only* be used to build the actual trust chain. X.509 chain trust chain construction is a tricky business. Although I thought that peer cert chain is a useful piece of information, it is also dangerous. It's simply not trustworthy. In virtually all cases you want to know the chain of certificates that leads from a local trust anchor to the end-entity cert. In most cases it just happens to be the same (excluding root CA). But that's not reliable. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18233> _______________________________________ ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue18233> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com