[PATCH 1 of 1 RFC] url: debug print ssl certificate info if verify failed
Yuya Nishihara
yuya at tcha.org
Mon Jan 10 07:57:50 CST 2011
Gilles Moris wrote:
> On Sunday 09 January 2011 08:16:35 pm Yuya Nishihara wrote:
> > > I would prefer a function getservercert(addr) instead, that just
> > > return _decodecert(pem)
> >
> > It could be. But you may want raw PEM-encoded certificate which
> > ssl.get_server_certificate() returns.
>
> If we want to detect self-signed certificate, we need also the decoded
> certificate to compare the subject and issuer.
IMHO, you may possibly need a PEM-encoded certificate to do something,
so I think separate call of ssl.get_server_certificate() is better than
all-in-one getservercert(addr) => dict.
Also Mads suggested another approach before:
http://thread.gmane.org/gmane.comp.version-control.mercurial.devel/37382/focus=37412
> There are other alternatives to get the issuer:
> - the SSL socket object contains an hidden _sslobj.issuer(). But this is an
> raw undecoded version of the issuer, and this is also an undocumented method.
> - we could use openssl binary to decode the PEM, but if we have high chances
> that openssl is installed on Linux, this is not the case for Windows.
>
> So your decoding method is the best one even if undocumented.
Yuya,
More information about the Mercurial-devel
mailing list