Skip to content

bpo-18233: Add internal methods to access peer chain (GH-25467)#25467

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
tiran merged 1 commit into from
Apr 26, 2021
Merged

bpo-18233: Add internal methods to access peer chain (GH-25467) #25467

tiran merged 1 commit into from
Apr 26, 2021

Conversation

@tiran
Copy link
Member

@tirantiran commented Apr 18, 2021
edited
Loading

The internal _ssl._SSLSocket object now provides methods to retrieve
the peer cert chain and verified cert chain as a list of Certificate
objects. Certificate objects have methods to convert the cert to a dict,
PEM, or DER (ASN.1).

These are private APIs for now. There is a slim chance to stabilize the
approach and provide a public API for 3.10. Otherwise I'll provide a
stable API in 3.11.

Signed-off-by: Christian Heimes [email protected]

  • write tests for server side socket
  • fix unverified cert getter to return full chain.

https://bugs.python.org/issue18233

@tirantiranforce-pushed the bpo-18233-internal-chain branch 2 times, most recently from 3e7e4ba to 7a6c053CompareApril 24, 2021 05:53
@tiran
bpo-18233: Add internal methods to access peer chain
b687814
The internal `_ssl._SSLSocket` object now provides methods to retrieve the peer cert chain and verified cert chain as a list of Certificate objects. Certificate objects have methods to convert the cert to a dict, PEM, or DER (ASN.1). These are private APIs for now. There is a slim chance to stabilize the approach and provide a public API for 3.10. Otherwise I'll provide a stable API in 3.11. Signed-off-by: Christian Heimes <[email protected]>
@tirantiranforce-pushed the bpo-18233-internal-chain branch from 7a6c053 to b687814CompareApril 24, 2021 05:54
@bedevere-bot
Copy link

bedevere-bot commented Apr 24, 2021

🤖 New build scheduled with the buildbot fleet by @tiran for commit b687814 🤖

If you want to schedule another build, you need to add the ":hammer: test-with-buildbots" label again.

@tirantiran added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Apr 24, 2021
@bedevere-botbedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Apr 24, 2021
@tirantiran marked this pull request as ready for review April 24, 2021 05:59
@tiran
Copy link
MemberAuthor

tiran commented Apr 26, 2021

refleak failures are cause by test_asyncio timeouts.

@tirantiran changed the title bpo-18233: Add internal methods to access peer chainbpo-18233: Add internal methods to access peer chain (GH-25467)Apr 26, 2021
@tirantiran merged commit 666991f into python:masterApr 26, 2021
@tirantiran deleted the bpo-18233-internal-chain branch April 26, 2021 13:01
This was referenced Sep 30, 2021
Open
Closed
sethmlarson added a commit to elastic/elastic-transport-python that referenced this pull request Oct 1, 2021
@sethmlarson
Add experimental support for pinning chain certificates
ff37321
`SSLObject.get_verified_chain()` and `Certificate.public_bytes()` are private APIs in CPython 3.10. They're not documented anywhere yet but seem to work and we need them for Security on by Default. See: python/cpython#25467
@tirantiran mentioned this pull request Nov 15, 2022
Open
@felixfonteinfelixfontein mentioned this pull request Feb 3, 2023
Closed
Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tiran@bedevere-bot@the-knights-who-say-ni