[PATCH 1 of 1 RFC] url: debug print ssl certificate info if verify failed
Gilles Moris
gilles.moris at free.fr
Sun Jan 9 13:40:00 CST 2011
On Sunday 09 January 2011 08:16:35 pm Yuya Nishihara wrote:
> > I would prefer a function getservercert(addr) instead, that just
> > return _decodecert(pem)
>
> It could be. But you may want raw PEM-encoded certificate which
> ssl.get_server_certificate() returns.
If we want to detect self-signed certificate, we need also the decoded
certificate to compare the subject and issuer.
There are other alternatives to get the issuer:
- the SSL socket object contains an hidden _sslobj.issuer(). But this is an
raw undecoded version of the issuer, and this is also an undocumented method.
- we could use openssl binary to decode the PEM, but if we have high chances
that openssl is installed on Linux, this is not the case for Windows.
So your decoding method is the best one even if undocumented.
Regards.
Gilles.
More information about the Mercurial-devel
mailing list