summaryrefslogtreecommitdiffstats
path: root/Doc/library/ssl.rst
diff options
context:
space:
mode:
authorAntoine Pitrou <solipsis@pitrou.net>2012-08-16 20:18:37 (GMT)
committerAntoine Pitrou <solipsis@pitrou.net>2012-08-16 20:18:37 (GMT)
commitd9a7e70939b0e0b904b5602d53bb07f5a371e2a2 (patch)
tree27cffc5300162cf6613249af7e94e77822efbe3c /Doc/library/ssl.rst
parent943c5b31b64cb56a99216b54ac9dcf7226ec9a81 (diff)
parentb7c6c8105eb9c21ac256fa95b2813c1f812091d7 (diff)
downloadcpython-d9a7e70939b0e0b904b5602d53bb07f5a371e2a2.zip
cpython-d9a7e70939b0e0b904b5602d53bb07f5a371e2a2.tar.gz
cpython-d9a7e70939b0e0b904b5602d53bb07f5a371e2a2.tar.bz2
Update the getpeercert() example with a real-world cert showing non-trivial issuer, subject and subjectAltName.
Diffstat (limited to 'Doc/library/ssl.rst')
-rw-r--r--Doc/library/ssl.rst50
1 files changed, 33 insertions, 17 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index e08c2b9..77196e1 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -576,23 +576,39 @@ SSL sockets also have the following additional methods and attributes:
If the parameter ``binary_form`` is :const:`False`, and a certificate was
received from the peer, this method returns a :class:`dict` instance. If the
certificate was not validated, the dict is empty. If the certificate was
- validated, it returns a dict with the keys ``subject`` (the principal for
- which the certificate was issued), and ``notAfter`` (the time after which the
- certificate should not be trusted). If a certificate contains an instance
- of the *Subject Alternative Name* extension (see :rfc:`3280`), there will
- also be a ``subjectAltName`` key in the dictionary.
-
- The "subject" field is a tuple containing the sequence of relative
- distinguished names (RDNs) given in the certificate's data structure for the
- principal, and each RDN is a sequence of name-value pairs::
-
- {'notAfter': 'Feb 16 16:54:50 2013 GMT',
- 'subject': ((('countryName', 'US'),),
- (('stateOrProvinceName', 'Delaware'),),
- (('localityName', 'Wilmington'),),
- (('organizationName', 'Python Software Foundation'),),
- (('organizationalUnitName', 'SSL'),),
- (('commonName', 'somemachine.python.org'),))}
+ validated, it returns a dict with several keys, amongst them ``subject``
+ (the principal for which the certificate was issued) and ``issuer``
+ (the principal issuing the certificate). If a certificate contains an
+ instance of the *Subject Alternative Name* extension (see :rfc:`3280`),
+ there will also be a ``subjectAltName`` key in the dictionary.
+
+ The ``subject`` and ``issuer`` fields are tuples containing the sequence
+ of relative distinguished names (RDNs) given in the certificate's data
+ structure for the respective fields, and each RDN is a sequence of
+ name-value pairs. Here is a real-world example::
+
+ {'issuer': ((('countryName', 'IL'),),
+ (('organizationName', 'StartCom Ltd.'),),
+ (('organizationalUnitName',
+ 'Secure Digital Certificate Signing'),),
+ (('commonName',
+ 'StartCom Class 2 Primary Intermediate Server CA'),)),
+ 'notAfter': 'Nov 22 08:15:19 2013 GMT',
+ 'notBefore': 'Nov 21 03:09:52 2011 GMT',
+ 'serialNumber': '95F0',
+ 'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),),
+ (('countryName', 'US'),),
+ (('stateOrProvinceName', 'California'),),
+ (('localityName', 'San Francisco'),),
+ (('organizationName', 'Electronic Frontier Foundation, Inc.'),),
+ (('commonName', '*.eff.org'),),
+ (('emailAddress', 'hostmaster@eff.org'),)),
+ 'subjectAltName': (('DNS', '*.eff.org'), ('DNS', 'eff.org')),
+ 'version': 3}
+
+ .. note::
+ To validate a certificate for a particular service, you can use the
+ :func:`match_hostname` function.
If the ``binary_form`` parameter is :const:`True`, and a certificate was
provided, this method returns the DER-encoded form of the entire certificate