[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Christian Heimes added the comment: BPO #31372 and #18369 provide the necessary bits and pieces for your request. I didn't have enough time to finish both in time for 3.7 feature freeze. Hostname verification improvements and TLS 1.3 were more important. I'm closing this

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Changes by Christian Heimes : -- assignee: -> christian.heimes components: +SSL versions: +Python 3.7 -Python 3.5 ___ Python tracker

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Changes by Christian Heimes : -- assignee: christian.heimes -> ___ Python tracker ___ ___

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Sascha Silbe added the comment: Has there been any progress on this? For my application I'd very much like "ssh-like" operation, using the public key itself as identifier rather than requiring some kind of automated CA setup. Being able to set a custom verification callback would be great,

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Changes by Christian Heimes li...@cheimes.de: -- assignee: - christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18293 ___ ___

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Christian Heimes added the comment: I may address the issue in my PEP for Python 3.5. Python 3.4 beta 1 will be released next week and no new features are allowed in beta and RC phase. -- versions: +Python 3.5 -Python 3.4 ___ Python tracker

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Changes by Jesús Cea Avión j...@jcea.es: -- nosy: +jcea ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18293 ___ ___ Python-bugs-list mailing list

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Antoine Pitrou added the comment: getpeercert() has a crappy API to begin with, but we can't change its behaviour for fear of breaking existing code (and, even, breaking it security-wise). Adding a parameter would make the API even more awful. Which is why I support Christian's idea of

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Derek Wilson added the comment: Custom cert validation may make sense in edge cases, so this looks interesting. But I got here looking to file a bug on the returning empty dict from SSLContext.getpeercert - I don't feel like that makes sense. Its not like a peer cert doesn't exist just

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Changes by R. David Murray rdmur...@bitdance.com: -- nosy: +r.david.murray ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18293 ___ ___

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Christian Heimes added the comment: Thanks for the pointer about being able to get the server's DER certificate. That will be useful. Is there some reason to return DER but not PEM? Or is this perhaps a bug that could be fixed in a future version of Python's ssl module? It doesn't

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

mpb added the comment: Christian wrote: sslsocket gives you access to the peer's cert and chain (with #18233). Very interesting (and useful). I've mostly been working with Python 2.7, and I had not fully noticed that Python 3.2+ has a ssl.SSLContext class. I'd rather not implement a full

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

New submission from mpb: At present (Python 2.7.[45] and 3.3.[12]), the cert_reqs parameter of ssl.wrap_socket can be one of: ssl.CERT_NONE ssl.CERT_OPTIONAL ssl.CERT_REQUIRED I would find the following additional modes to be useful: ssl.CERT_OPTIONAL_NO_VERIFY ssl.CERT_REQUIRED_NO_VERIFY In

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

mpb added the comment: (Oops, I changed the title when I meant to do a search. Changing it back now.) -- title: ssl sni - ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates ___ Python tracker rep...@bugs.python.org

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Changes by Antoine Pitrou pit...@free.fr: -- nosy: +christian.heimes ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18293 ___ ___ Python-bugs-list

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

Christian Heimes added the comment: I'm setting the version to 3.4 as this is a feature request. 2.7 and 3.3 are in feature freeze mode. OpenSSL doesn't support our idea out of the box. OpenSSL either verifies the peer's certificate and chain or doesn't verify the peer's certificate and

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

mpb added the comment: Hi Christian, thanks for the prompt response. Sorry about choosing the wrong versions - I wasn't thinking that enhancements should target future versions, but of course that makes sense. After submitting the enhancement request, I did dig into the OpenSSL docs, and, as

[issue18293] ssl.wrap_socket (cert_reqs=...), getpeercert, and unvalidated certificates

mpb added the comment: Oh, I see. getpeercert (binary_form) is not DER vs. PEM, it is DER vs. dict. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue18293 ___