Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

Update the getpeercert() example with a real-world cert showing non-trivial issuer, subject and subjectAltName.

This commit is contained in:
Antoine Pitrou 2012-08-16 22:18:37 +02:00
parent 943c5b31b6 b7c6c8105e
commit d9a7e70939
1 changed files with 31 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
Doc/library/ssl.rst
View File

@ -576,23 +576,39 @@ SSL sockets also have the following additional methods and attributes:
If the parameter ``binary_form`` is :const:`False`, and a certificate was If the parameter ``binary_form`` is :const:`False`, and a certificate was
received from the peer, this method returns a :class:`dict` instance. If the received from the peer, this method returns a :class:`dict` instance. If the
certificate was not validated, the dict is empty. If the certificate was certificate was not validated, the dict is empty. If the certificate was
validated, it returns a dict with the keys ``subject`` (the principal for validated, it returns a dict with several keys, amongst them ``subject``
which the certificate was issued), and ``notAfter`` (the time after which the (the principal for which the certificate was issued) and ``issuer``
certificate should not be trusted). If a certificate contains an instance (the principal issuing the certificate). If a certificate contains an
of the *Subject Alternative Name* extension (see :rfc:`3280`), there will instance of the *Subject Alternative Name* extension (see :rfc:`3280`),
also be a ``subjectAltName`` key in the dictionary. there will also be a ``subjectAltName`` key in the dictionary.
The "subject" field is a tuple containing the sequence of relative The ``subject`` and ``issuer`` fields are tuples containing the sequence
distinguished names (RDNs) given in the certificate's data structure for the of relative distinguished names (RDNs) given in the certificate's data
principal, and each RDN is a sequence of name-value pairs:: structure for the respective fields, and each RDN is a sequence of
name-value pairs. Here is a real-world example::
{'notAfter': 'Feb 16 16:54:50 2013 GMT', {'issuer': ((('countryName', 'IL'),),
'subject': ((('countryName', 'US'),), (('organizationName', 'StartCom Ltd.'),),
(('stateOrProvinceName', 'Delaware'),), (('organizationalUnitName',
(('localityName', 'Wilmington'),), 'Secure Digital Certificate Signing'),),
(('organizationName', 'Python Software Foundation'),), (('commonName',
(('organizationalUnitName', 'SSL'),), 'StartCom Class 2 Primary Intermediate Server CA'),)),
(('commonName', 'somemachine.python.org'),))} 'notAfter': 'Nov 22 08:15:19 2013 GMT',
'notBefore': 'Nov 21 03:09:52 2011 GMT',
'serialNumber': '95F0',
'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),),
(('countryName', 'US'),),
(('stateOrProvinceName', 'California'),),
(('localityName', 'San Francisco'),),
(('organizationName', 'Electronic Frontier Foundation, Inc.'),),
(('commonName', '*.eff.org'),),
(('emailAddress', 'hostmaster@eff.org'),)),
'subjectAltName': (('DNS', '*.eff.org'), ('DNS', 'eff.org')),
'version': 3}
.. note::
To validate a certificate for a particular service, you can use the
:func:`match_hostname` function.
If the ``binary_form`` parameter is :const:`True`, and a certificate was If the ``binary_form`` parameter is :const:`True`, and a certificate was
provided, this method returns the DER-encoded form of the entire certificate provided, this method returns the DER-encoded form of the entire certificate