[issue18233] SSLSocket.getpeercertchain()

Change by J.P : -- nosy: +jamespo ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mai

[issue18233] SSLSocket.getpeercertchain()

Christian Heimes added the comment: New changeset 666991fc598bc312d72aff0078ecb553f0a968f1 by Christian Heimes in branch 'master': bpo-18233: Add internal methods to access peer chain (GH-25467) https://github.com/python/cpython/commit/666991fc598bc312d72aff0078ecb553f0a968f1 -- __

[issue18233] SSLSocket.getpeercertchain()

Change by Christian Heimes : -- pull_requests: +24191 pull_request: https://github.com/python/cpython/pull/25467 ___ Python tracker ___

[issue18233] SSLSocket.getpeercertchain()

Change by Chris Burr : -- versions: +Python 3.10 -Python 3.9 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue18233] SSLSocket.getpeercertchain()

Change by JustAnotherArchivist : -- nosy: +JustAnotherArchivist ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe

[issue18233] SSLSocket.getpeercertchain()

Chris Burr added the comment: Hi Zack, I've already opened a PR that is loosely based on this patch. If you have time to give it a review I'd appreciate the extra set of eyes. https://github.com/python/cpython/pull/17938 -- versions: +Python 3.9 -Python 3.8 _

[issue18233] SSLSocket.getpeercertchain()

Zack Weinberg added the comment: I have yet another use case for the function implemented by this patch (i.e. retrieving the cert chain actually sent by the server, regardless of whether that gives a path to a trust anchor). I'm implementing a network forensics tool, and one of the situatio

[issue18233] SSLSocket.getpeercertchain()

Kent Watsen added the comment: I agree that having both would be best, but there is a world of difference between a must-have (peer_cert_chain) and what seems to be a nice-to-have (authed_peer_cert_chain). My request for clarification was not that I don't understand bags, etc. (see my first

[issue18233] SSLSocket.getpeercertchain()

Nathaniel Smith added the comment: I'm not sure I agree about assuming that users will be able to work around these issues... I mean, nothing personal, I'm sure you're well-informed and maybe your code would work fine, but if you don't understand my example then how can you be entirely confi

[issue18233] SSLSocket.getpeercertchain()

Kent Watsen added the comment: It seems that we're talking about the same thing, but I want the cert-chain the peer sent without any smarts, exactly how OpenSSL's SSL_get_peer_cert_chain() works and, importantly, without stapling any root chain certs the client did not send itself (though it

[issue18233] SSLSocket.getpeercertchain()

Nathaniel Smith added the comment: > For the concern issue, as I understand it, the ability to call getpeercert() > or the proposed getpeercertchain() is only after the TLS session has been > established. As such, the SSL socket already established that there exists a > valid chain of trust

[issue18233] SSLSocket.getpeercertchain()

Kent Watsen added the comment: I don't understand the concern issues being raised for this patch, and also may have a use-case not mentioned yet. For the concern issue, as I understand it, the ability to call getpeercert() or the proposed getpeercertchain() is only after the TLS session has

[issue18233] SSLSocket.getpeercertchain()

Change by Chris Burr : -- nosy: +chrisburr ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pytho

[issue18233] SSLSocket.getpeercertchain()

Change by Chris Burr : -- pull_requests: +17346 pull_request: https://github.com/python/cpython/pull/17938 ___ Python tracker ___ __

[issue18233] SSLSocket.getpeercertchain()

Nathaniel Smith added the comment: There's another important use case for this, that hasn't been discussed here. If you want to use openssl for TLS + the system trust store to verify certificates, then you need to disable openssl's certificate validation, perform the handshake, and then extra

[issue18233] SSLSocket.getpeercertchain()

Change by Hiroaki Kawai : -- nosy: +Hiroaki.Kawai ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mai

[issue18233] SSLSocket.getpeercertchain()

chaen added the comment: There is another very valid use case which is even described by an RFC: https://www.ietf.org/rfc/rfc3820.txt And openssl supports this RFC. These proxy certificates are heavily used in the world of high energy physics computing, and having the get_peer_cert_chain e

[issue18233] SSLSocket.getpeercertchain()

Change by Christian Heimes : -- versions: +Python 3.8 -Python 3.7 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscrib

[issue18233] SSLSocket.getpeercertchain()

Christian Heimes added the comment: Yes, from an application perspective there is an import difference between X509_STORE_CTX_get1_chain() and SSL_get0_verified_chain(). X509_STORE_CTX is a temporary object. It is only available during the handshake and while the trust chain is built and verif

[issue18233] SSLSocket.getpeercertchain()

joernheissler added the comment: Hi, I'd like to see this feature too. My use case is a monitoring script to check the life time of the server certificate, including the chain. I would prefer to have a wrapper around SSL_get_peer_cert_chain. I understand that this is *not* a verified chain. Th

[issue18233] SSLSocket.getpeercertchain()

Chet Nichols III added the comment: Oh yeah, definitely not trustworthy at all. In my case, I am not processing the peer chain to actually verify trust, but I am still interested in inspecting the chain. Dangerous or not, and regardless of what almost all people should *actually* be doing, SS

[issue18233] SSLSocket.getpeercertchain()

Dustin Oprea added the comment: Thanks for expounding on this, Christian. Assuming your assertions are correct, this makes perfect sense. Can anyone listening close this? On May 12, 2017 17:45, "Christian Heimes" wrote: Christian Heimes added the comment: The ticket is dead for a very good r

[issue18233] SSLSocket.getpeercertchain()

Christian Heimes added the comment: The ticket is dead for a very good reason. Past me was not clever enough and didn't know about the difference between the cert chain sent by the peer and the actual trust chain. The peer's cert chain is not trustworthy and must *only* be used to build the ac

[issue18233] SSLSocket.getpeercertchain()

Chet Nichols III added the comment: Is this dead at this point? Just stumbled upon it, and I'm hopeful that maybe there's still a chance, since it's still `open`. :) -- nosy: +chet ___ Python tracker _

[issue18233] SSLSocket.getpeercertchain()

Mariusz Masztalerczuk added the comment: ping! :) Could someone look at my changes? :) -- ___ Python tracker ___ ___ Python-bugs-list

[issue18233] SSLSocket.getpeercertchain()

Mariusz Masztalerczuk added the comment: Hello :) I'm not sure why patches created by christian.heimes is not merged to python, but because last patch was created in 2013, I've created a new version of this patch. What do you think about it? -- nosy: +mmasztalerczuk Added file: http:

[issue18233] SSLSocket.getpeercertchain()

Changes by Christian Heimes : -- assignee: -> christian.heimes components: +SSL ___ Python tracker ___ ___ Python-bugs-list mailing l

[issue18233] SSLSocket.getpeercertchain()

Changes by Christian Heimes : -- versions: -Python 3.6 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue18233] SSLSocket.getpeercertchain()

Changes by Miroslav Shubernetskiy : -- nosy: +miki725 ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://m

[issue18233] SSLSocket.getpeercertchain()

Changes by Christian Heimes : -- versions: +Python 3.6, Python 3.7 -Python 3.4, Python 3.5 ___ Python tracker ___ ___ Python-bugs-list

[issue18233] SSLSocket.getpeercertchain()

Changes by Christian Heimes : -- assignee: christian.heimes -> ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue18233] SSLSocket.getpeercertchain()

Dustin Oprea added the comment: Disregard. I thought this was something else. -- ___ Python tracker ___ ___ Python-bugs-list mailing l

[issue18233] SSLSocket.getpeercertchain()

Dustin Oprea added the comment: Forget it. This project is dead. Dustin On May 28, 2015 11:58 AM, "Jeroen Ruigrok van der Werven" < rep...@bugs.python.org> wrote: > > Jeroen Ruigrok van der Werven added the comment: > > Given that cryptography.io is fast becoming the solution for dealing with >

[issue18233] SSLSocket.getpeercertchain()

Jeroen Ruigrok van der Werven added the comment: Given that cryptography.io is fast becoming the solution for dealing with X.509 certificates on Python, I would like to add my vote to add my vote for this feature. Right now, getting the full chain in DER is what I am missing to complete a task

[issue18233] SSLSocket.getpeercertchain()

Derek Wilson added the comment: I could really use this sooner than later... and sometimes having a full-featured (or even secure) interface is not what you want. Consider zmap and masscan etc and ssl mapping (similar to what the EFF did a couple years back - https://www.eff.org/observatory -

[issue18233] SSLSocket.getpeercertchain()

Changes by Christian Heimes : -- assignee: -> christian.heimes ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue18233] SSLSocket.getpeercertchain()

Christian Heimes added the comment: It's just nice to have for debugging and extended verification. -- versions: +Python 3.5 -Python 3.4 ___ Python tracker ___ __

[issue18233] SSLSocket.getpeercertchain()

Antoine Pitrou added the comment: @Dustin > My two-cents is to leave it a tuple (why not?). Because tuples are more used for struct-like data. Here we are returning an unknown number of homogenous objects, which generally calls for a list. @Christian > I'd rather return a list or tuple of X5

[issue18233] SSLSocket.getpeercertchain()

Christian Heimes added the comment: I'd rather return a list or tuple of X509 objects but #18369 won't be ready for 3.4. Ideas? -- ___ Python tracker ___ ___

[issue18233] SSLSocket.getpeercertchain()

Dustin Oprea added the comment: My two-cents is to leave it a tuple (why not?). Dustin -- ___ Python tracker ___ ___ Python-bugs-li

[issue18233] SSLSocket.getpeercertchain()

Antoine Pitrou added the comment: Sorry for the incorrect answer. I just noticed there was a test in the patch! Further looking at it, I notice the new function is returning a tuple. Wouldn't it be better to return a list here? -- ___ Python tracker

[issue18233] SSLSocket.getpeercertchain()

Antoine Pitrou added the comment: The patch needs a test, a proper doc, and reviewing. -- nosy: +pitrou ___ Python tracker ___ ___ Pyt

[issue18233] SSLSocket.getpeercertchain()

Dustin Oprea added the comment: I was about to submit a feature request to add exactly this. The [second] patch works like a charm. When are you going to land on a particular resolution so that it can get committed in? Dustin -- nosy: +dsoprea __

[issue18233] SSLSocket.getpeercertchain()

Changes by Donald Stufft : -- nosy: +dstufft ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python

[issue18233] SSLSocket.getpeercertchain()

Christian Heimes added the comment: >From Rietveld review: --- http://bugs.python.org/review/18233/diff/8422/Modules/_ssl.c#newcode1203 Modules/_ssl.c:1203: chain = X509_STORE_CTX_get1_chain(store_ctx); This isn't appropriate for this method. Specifically, you are asking for the peer cert chain,

[issue18233] SSLSocket.getpeercertchain()

Changes by Derek Wilson : -- nosy: +Derek.Wilson ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.py

[issue18233] SSLSocket.getpeercertchain()

Changes by Michele Orrù : -- nosy: +maker ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.or

[issue18233] SSLSocket.getpeercertchain()

Changes by Jesús Cea Avión : -- nosy: +jcea ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.

[issue18233] SSLSocket.getpeercertchain()

Christian Heimes added the comment: As expected it is much harder to get the full certification chain from OpenSSL than I initially expected. SSL_get_peer_cert_chain() doesn't return the root CA's certificate. The new patch introduces a validation mode and uses X509_verify_cert(*X509_STORE_CTX

[issue18233] SSLSocket.getpeercertchain()

Changes by Antoine Pitrou : -- dependencies: +SSL: diagnostic functions to list loaded CA certs ___ Python tracker ___ ___ Python-bugs

[issue18233] SSLSocket.getpeercertchain()

New submission from Christian Heimes: The patch implements a method getpeercertchain() on a SSLSocket. It returns the peer's certificate chain from the leaf cert to the root cert if available. It wraps SSL_get_peer_cert_chain(). SSL_get_peer_cert_chain() doesn't have to pull any additional dat