Getting certificate chain with Python 3.3 SSL module

by

Thanks to the contributing answer by Aleksi, I found a bug/feature request that already requested this very thing: http://bugs.python.org/issue18233. Though the changes haven’t been finalized, yet, they do have a patch that makes this available:

This is the test code which I’ve stolen from some forgotten source and reassembled:

import socket

from ssl import wrap_socket, CERT_NONE, PROTOCOL_SSLv23
from ssl import SSLContext, SSLError  # Modern SSL?
from ssl import HAS_SNI  # Has SNI?

from pprint import pprint

def ssl_wrap_socket(sock, keyfile=None, certfile=None, cert_reqs=None,
                    ca_certs=None, server_hostname=None,
                    ssl_version=None):
    context = SSLContext(ssl_version)
    context.verify_mode = cert_reqs

    if ca_certs:
        try:
            context.load_verify_locations(ca_certs)
        # Py32 raises IOError
        # Py33 raises FileNotFoundError
        except Exception as e:  # Reraise as SSLError
            raise SSLError(e)

    if certfile:
        # FIXME: This block needs a test.
        context.load_cert_chain(certfile, keyfile)

    if HAS_SNI:  # Platform-specific: OpenSSL with enabled SNI
        return (context, context.wrap_socket(sock, server_hostname=server_hostname))

    return (context, context.wrap_socket(sock))

hostname="www.google.com"
print("Hostname: %s" % (hostname))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((hostname, 443))

(context, ssl_socket) = ssl_wrap_socket(s,
                                       ssl_version=2, 
                                       cert_reqs=2, 
                                       ca_certs="/usr/local/lib/python3.3/dist-packages/requests/cacert.pem", 
                                       server_hostname=hostname)

pprint(ssl_socket.getpeercertchain())

s.close()

Output:

Hostname: www.google.com
({'issuer': ((('countryName', 'US'),),
             (('organizationName', 'Google Inc'),),
             (('commonName', 'Google Internet Authority G2'),)),
  'notAfter': 'Sep 11 11:04:38 2014 GMT',
  'notBefore': 'Sep 11 11:04:38 2013 GMT',
  'serialNumber': '50C71E48BCC50676',
  'subject': ((('countryName', 'US'),),
              (('stateOrProvinceName', 'California'),),
              (('localityName', 'Mountain View'),),
              (('organizationName', 'Google Inc'),),
              (('commonName', 'www.google.com'),)),
  'subjectAltName': (('DNS', 'www.google.com'),),
  'version': 3},
 {'issuer': ((('countryName', 'US'),),
             (('organizationName', 'GeoTrust Inc.'),),
             (('commonName', 'GeoTrust Global CA'),)),
  'notAfter': 'Apr  4 15:15:55 2015 GMT',
  'notBefore': 'Apr  5 15:15:55 2013 GMT',
  'serialNumber': '023A69',
  'subject': ((('countryName', 'US'),),
              (('organizationName', 'Google Inc'),),
              (('commonName', 'Google Internet Authority G2'),)),
  'version': 3},
 {'issuer': ((('countryName', 'US'),),
             (('organizationName', 'Equifax'),),
             (('organizationalUnitName',
               'Equifax Secure Certificate Authority'),)),
  'notAfter': 'Aug 21 04:00:00 2018 GMT',
  'notBefore': 'May 21 04:00:00 2002 GMT',
  'serialNumber': '12BBE6',
  'subject': ((('countryName', 'US'),),
              (('organizationName', 'GeoTrust Inc.'),),
              (('commonName', 'GeoTrust Global CA'),)),
  'version': 3},
 {'issuer': ((('countryName', 'US'),),
             (('organizationName', 'Equifax'),),
             (('organizationalUnitName',
               'Equifax Secure Certificate Authority'),)),
  'notAfter': 'Aug 22 16:41:51 2018 GMT',
  'notBefore': 'Aug 22 16:41:51 1998 GMT',
  'serialNumber': '35DEF4CF',
  'subject': ((('countryName', 'US'),),
              (('organizationName', 'Equifax'),),
              (('organizationalUnitName',
                'Equifax Secure Certificate Authority'),)),
  'version': 3})

More Related Contents:

  1. Not able to install Python packages [SSL: TLSV1_ALERT_PROTOCOL_VERSION]
  2. Python referencing old SSL version
  3. Why is dictionary ordering non-deterministic?
  4. How to decrypt OpenSSL AES-encrypted files in Python?
  5. How to make program go back to the top of the code instead of closing [duplicate]
  6. Import arbitrary python source file. (Python 3.3+)
  7. Building Python with SSL support in non-standard location
  8. SyntaxError: multiple statements found while compiling a single statement
  9. certificate verify failed: unable to get local issuer certificate
  10. Python and OpenSSL version reference issue on OS X
  11. Python requests SSL error – certificate verify failed
  12. “SSL: certificate_verify_failed” error when scraping https://www.thenewboston.com/
  13. Python AttributeError: ‘module’ object has no attribute ‘SSL_ST_INIT’
  14. ImportError: cannot import name HTTPSHandler using PIP
  15. Python Requests getting SSLerror
  16. Meaning of end=” in the statement print(“\t”,end=”)? [duplicate]
  17. SSL error with Python requests despite up-to-date dependencies
  18. Python Requests with wincertstore
  19. pip install fail with SSL certificate verify failed (_ssl.c:833)
  20. What does “SSLError: [SSL] PEM lib (_ssl.c:2532)” mean using the Python ssl library?
  21. Return in generator together with yield
  22. How do I compile Python 3.4 with custom OpenSSL?
  23. How to enable FIPS mode for libcrypto and libssl packaged with Python?
  24. “ERROR:root:code for hash md5 was not found” when using any hg mercurial commands
  25. Building Python 3.7.1 – SSL module failed
  26. openssl, python requests error: “certificate verify failed”
  27. SSL error unsafe legacy renegotiation disabled
  28. Can’t use chrome driver for Selenium
  29. SSLError: sslv3 alert handshake failure
  30. How to compile python3 on RHEL with SSL? SSL cannot be imported

Leave a Comment