diff options
author | Antoine Pitrou <solipsis@pitrou.net> | 2012-08-16 20:18:37 (GMT) |
---|---|---|
committer | Antoine Pitrou <solipsis@pitrou.net> | 2012-08-16 20:18:37 (GMT) |
commit | d9a7e70939b0e0b904b5602d53bb07f5a371e2a2 (patch) | |
tree | 27cffc5300162cf6613249af7e94e77822efbe3c /Doc/library | |
parent | 943c5b31b64cb56a99216b54ac9dcf7226ec9a81 (diff) | |
parent | b7c6c8105eb9c21ac256fa95b2813c1f812091d7 (diff) | |
download | cpython-d9a7e70939b0e0b904b5602d53bb07f5a371e2a2.zip cpython-d9a7e70939b0e0b904b5602d53bb07f5a371e2a2.tar.gz cpython-d9a7e70939b0e0b904b5602d53bb07f5a371e2a2.tar.bz2 |
Update the getpeercert() example with a real-world cert showing non-trivial issuer, subject and subjectAltName.
Diffstat (limited to 'Doc/library')
-rw-r--r-- | Doc/library/ssl.rst | 50 |
1 files changed, 33 insertions, 17 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index e08c2b9..77196e1 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -576,23 +576,39 @@ SSL sockets also have the following additional methods and attributes: If the parameter ``binary_form`` is :const:`False`, and a certificate was received from the peer, this method returns a :class:`dict` instance. If the certificate was not validated, the dict is empty. If the certificate was - validated, it returns a dict with the keys ``subject`` (the principal for - which the certificate was issued), and ``notAfter`` (the time after which the - certificate should not be trusted). If a certificate contains an instance - of the *Subject Alternative Name* extension (see :rfc:`3280`), there will - also be a ``subjectAltName`` key in the dictionary. - - The "subject" field is a tuple containing the sequence of relative - distinguished names (RDNs) given in the certificate's data structure for the - principal, and each RDN is a sequence of name-value pairs:: - - {'notAfter': 'Feb 16 16:54:50 2013 GMT', - 'subject': ((('countryName', 'US'),), - (('stateOrProvinceName', 'Delaware'),), - (('localityName', 'Wilmington'),), - (('organizationName', 'Python Software Foundation'),), - (('organizationalUnitName', 'SSL'),), - (('commonName', 'somemachine.python.org'),))} + validated, it returns a dict with several keys, amongst them ``subject`` + (the principal for which the certificate was issued) and ``issuer`` + (the principal issuing the certificate). If a certificate contains an + instance of the *Subject Alternative Name* extension (see :rfc:`3280`), + there will also be a ``subjectAltName`` key in the dictionary. + + The ``subject`` and ``issuer`` fields are tuples containing the sequence + of relative distinguished names (RDNs) given in the certificate's data + structure for the respective fields, and each RDN is a sequence of + name-value pairs. Here is a real-world example:: + + {'issuer': ((('countryName', 'IL'),), + (('organizationName', 'StartCom Ltd.'),), + (('organizationalUnitName', + 'Secure Digital Certificate Signing'),), + (('commonName', + 'StartCom Class 2 Primary Intermediate Server CA'),)), + 'notAfter': 'Nov 22 08:15:19 2013 GMT', + 'notBefore': 'Nov 21 03:09:52 2011 GMT', + 'serialNumber': '95F0', + 'subject': ((('description', '571208-SLe257oHY9fVQ07Z'),), + (('countryName', 'US'),), + (('stateOrProvinceName', 'California'),), + (('localityName', 'San Francisco'),), + (('organizationName', 'Electronic Frontier Foundation, Inc.'),), + (('commonName', '*.eff.org'),), + (('emailAddress', 'hostmaster@eff.org'),)), + 'subjectAltName': (('DNS', '*.eff.org'), ('DNS', 'eff.org')), + 'version': 3} + + .. note:: + To validate a certificate for a particular service, you can use the + :func:`match_hostname` function. If the ``binary_form`` parameter is :const:`True`, and a certificate was provided, this method returns the DER-encoded form of the entire certificate |