[PATCH 1 of 1 RFC] url: debug print ssl certificate info if verify failed

Gilles Moris gilles.moris at free.fr
Sun Jan 9 13:40:00 CST 2011


On Sunday 09 January 2011 08:16:35 pm Yuya Nishihara wrote:
> > I would prefer a function getservercert(addr) instead, that just
> >  return _decodecert(pem)
>
> It could be. But you may want raw PEM-encoded certificate which
> ssl.get_server_certificate() returns.

If we want to detect self-signed certificate, we need also the decoded 
certificate to compare the subject and issuer.

There are other alternatives to get the issuer:
- the SSL socket object contains an hidden _sslobj.issuer(). But this is an 
raw undecoded version of the issuer, and this is also an undocumented method.
- we could use openssl binary to decode the PEM, but if we have high chances 
that openssl is installed on Linux, this is not the case for Windows.

So your decoding method is the best one even if undocumented.

Regards.
Gilles.


More information about the Mercurial-devel mailing list