subject:"\[issue31892\] ssl.get_server_certificate should allow specifying certificate \/ key type"

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

2022-03-15 Thread Hanno Boeck



Hanno Boeck  added the comment:

Any update? :-)

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

2018-02-26 Thread Christian Heimes


Change by Christian Heimes :


--
assignee: christian.heimes -> 
stage:  -> needs patch
versions: +Python 3.8 -Python 2.7, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

2017-11-02 Thread Christian Heimes


Christian Heimes  added the comment:

Matt suggested to use 
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_sigalgs.html The 
SSL_CTX_set1_sigalgs_list() function takes a string of colon-separated 
algorithms, e.g. "ECDSA+SHA256:RSA+SHA256" for ECDSA and PKCS#1 v1.5 RSA with 
both SHA256 as hashing algorithm.

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

2017-11-02 Thread Christian Heimes


Christian Heimes  added the comment:

Example implementation of get_server_certificate() with cert type: 
https://gist.github.com/tiran/6e7a5b00483376e164c951730db7d4e5

TLS 1.3 has a signature_algorithms extension that allows a client to have even 
more control over the selected certificate and signature algorithms. It defines 
authentication algorithm (RSA, ECDSA, EdDSA), signature scheme (PKCS#1 v1.5 or 
PKCS#1 v2.1 aka RSA-PSS for RSA, curve for ECDSA), and hashing algorithm 
(SHA-1, SHA-2 256/384/512). 
https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.2.3

I've contacted openssl maintainers and asked them for advice: 
https://mta.openssl.org/pipermail/openssl-users/2017-November/006834.html

--

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

2017-11-01 Thread Christian Heimes


Christian Heimes  added the comment:

Thanks for your feature request, Hanno.

It's fairly easy to implement with current API for TLS protocols up to TLS 1.2, 
e.g. cipher suite "DEFAULT:!aRSA:!aDSS" or "aECDSA:!NULL" for ECDSA certs.

However TLS 1.3 cipher suites no longer specify authentication and KE/KX 
algorithms, e.g. TLS13-AES-256-GCM-SHA384. I have to find a way to force 
OpenSSL's state machine to establish a connection with a specific 
authentication algorithm.

Memo to me: TLS 1.3 also has EdDSA.

--
nosy: +alex, dstufft, janssen
versions: +Python 2.7, Python 3.6, Python 3.7

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

2017-10-29 Thread Hanno Boeck


New submission from Hanno Boeck :

The function ssl.get_server_certificate() from the ssl module is supposed to 
allow fetching the certificate of a TLS server.

However in its current form it provides no way to specify a key type. Many 
popular hosts (e.g. facebook, google) support both ECDSA and RSA these days, 
depending on the cipher suites one uses to try to connect to them.

If one wants to fetch the RSA certificate of e.g. facbeook this is not possible 
with the current python ssl module, as it will always output the ECDSA 
certificate. One can create a connection with an SSLContext that has only RSA 
ciphers set, but it's not possible to get the certificate out of an SSLContext. 
And the get_server_certificate function provides neither a way to bind it to a 
context nor a way to specify ciphers or key types.

I think there should be an optional parameter to get_server_certificate that 
allows asking for a specific key type.

--
assignee: christian.heimes
components: SSL
messages: 305182
nosy: christian.heimes, hanno
priority: normal
severity: normal
status: open
title: ssl.get_server_certificate should allow specifying certificate / key type
type: enhancement

___
Python tracker 

___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

[issue31892] ssl.get_server_certificate should allow specifying certificate / key type

6 matches

Site Navigation

Mail list logo

Footer information