Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bpo-18233: Add internal methods to access peer chain (GH-25467) #25467

Merged
merged 1 commit into from
Apr 26, 2021
Merged

bpo-18233: Add internal methods to access peer chain (GH-25467) #25467

merged 1 commit into from
Apr 26, 2021

Conversation

tiran
Copy link
Member

@tiran tiran commented Apr 18, 2021
edited
Loading

The internal _ssl._SSLSocket object now provides methods to retrieve
the peer cert chain and verified cert chain as a list of Certificate
objects. Certificate objects have methods to convert the cert to a dict,
PEM, or DER (ASN.1).

These are private APIs for now. There is a slim chance to stabilize the
approach and provide a public API for 3.10. Otherwise I'll provide a
stable API in 3.11.

Signed-off-by: Christian Heimes [email protected]

  • write tests for server side socket
  • fix unverified cert getter to return full chain.

https://bugs.python.org/issue18233

@tiran tiran force-pushed the bpo-18233-internal-chain branch 2 times, most recently from 3e7e4ba to 7a6c053 Compare April 24, 2021 05:53
@tiran
bpo-18233: Add internal methods to access peer chain
b687814 
The internal `_ssl._SSLSocket` object now provides methods to retrieve
the peer cert chain and verified cert chain as a list of Certificate
objects. Certificate objects have methods to convert the cert to a dict,
PEM, or DER (ASN.1).

These are private APIs for now. There is a slim chance to stabilize the
approach and provide a public API for 3.10. Otherwise I'll provide a
stable API in 3.11.

Signed-off-by: Christian Heimes <[email protected]>
@tiran tiran force-pushed the bpo-18233-internal-chain branch from 7a6c053 to b687814 Compare April 24, 2021 05:54
@bedevere-bot
Copy link

🤖 New build scheduled with the buildbot fleet by @tiran for commit b687814 🤖

If you want to schedule another build, you need to add the ":hammer: test-with-buildbots" label again.

@tiran tiran added the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Apr 24, 2021
@bedevere-bot bedevere-bot removed the 🔨 test-with-buildbots Test PR w/ buildbots; report in status section label Apr 24, 2021
@tiran tiran marked this pull request as ready for review April 24, 2021 05:59
@tiran
Copy link
Member Author

tiran commented Apr 26, 2021

refleak failures are cause by test_asyncio timeouts.

@tiran tiran changed the title bpo-18233: Add internal methods to access peer chain bpo-18233: Add internal methods to access peer chain (GH-25467) Apr 26, 2021
@tiran tiran merged commit 666991f into python:master Apr 26, 2021
@tiran tiran deleted the bpo-18233-internal-chain branch April 26, 2021 13:01
This was referenced Sep 30, 2021
Open
Closed
sethmlarson added a commit to elastic/elastic-transport-python that referenced this pull request Oct 1, 2021
@sethmlarson
Add experimental support for pinning chain certificates
ff37321 
`SSLObject.get_verified_chain()` and `Certificate.public_bytes()` are private APIs in CPython 3.10.
They're not documented anywhere yet but seem to work and we need them for Security on by Default.
See: python/cpython#25467
@tiran tiran mentioned this pull request Nov 15, 2022
Open
@felixfontein felixfontein mentioned this pull request Feb 3, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tiran @bedevere-bot @the-knights-who-say-ni