[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

Hanno Boeck added the comment: Any update? :-) -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

Change by Christian Heimes : -- assignee: christian.heimes -> stage: -> needs patch versions: +Python 3.8 -Python 2.7, Python 3.6, Python 3.7 ___ Python tracker

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

Christian Heimes added the comment: Matt suggested to use https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_sigalgs.html The SSL_CTX_set1_sigalgs_list() function takes a string of colon-separated algorithms, e.g. "ECDSA+SHA256:RSA+SHA256" for ECDSA and PKCS#1 v1.5

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

Christian Heimes added the comment: Example implementation of get_server_certificate() with cert type: https://gist.github.com/tiran/6e7a5b00483376e164c951730db7d4e5 TLS 1.3 has a signature_algorithms extension that allows a client to have even more control over the

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

Christian Heimes added the comment: Thanks for your feature request, Hanno. It's fairly easy to implement with current API for TLS protocols up to TLS 1.2, e.g. cipher suite "DEFAULT:!aRSA:!aDSS" or "aECDSA:!NULL" for ECDSA certs. However TLS 1.3 cipher suites no longer

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

New submission from Hanno Boeck : The function ssl.get_server_certificate() from the ssl module is supposed to allow fetching the certificate of a TLS server. However in its current form it provides no way to specify a key type. Many popular hosts (e.g. facebook, google)