diff options
| author | Antoine Pitrou <solipsis@pitrou.net> | 2013-04-16 18:28:15 (GMT) |
|---|---|---|
| committer | Antoine Pitrou <solipsis@pitrou.net> | 2013-04-16 18:28:15 (GMT) |
| commit | 9b42128e2c347e7de893ec6a8ead490dc3d348d6 (patch) | |
| tree | a5fa4db6c55dd086abf4d45779993efdc5ae2760 /Doc | |
| parent | 99c56e8f58814e7469e55bdb515ed4d0834a6363 (diff) | |
| parent | d34941ad4e35d1b7243367524407d4a5fa8c7fe1 (diff) | |
| download | cpython-9b42128e2c347e7de893ec6a8ead490dc3d348d6.zip cpython-9b42128e2c347e7de893ec6a8ead490dc3d348d6.tar.gz cpython-9b42128e2c347e7de893ec6a8ead490dc3d348d6.tar.bz2 | |
Issue #17739: fix the description of SSLSocket.getpeercert(binary_form=True) for server sockets.
Thanks to David D Lowe for reporting.
Diffstat (limited to 'Doc')
| -rw-r--r-- | Doc/library/ssl.rst | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst index 9ddaf46..2f8b9a2 100644 --- a/Doc/library/ssl.rst +++ b/Doc/library/ssl.rst @@ -621,7 +621,7 @@ SSL sockets also have the following additional methods and attributes: If there is no certificate for the peer on the other end of the connection, returns ``None``. - If the parameter ``binary_form`` is :const:`False`, and a certificate was + If the ``binary_form`` parameter is :const:`False`, and a certificate was received from the peer, this method returns a :class:`dict` instance. If the certificate was not validated, the dict is empty. If the certificate was validated, it returns a dict with several keys, amongst them ``subject`` @@ -661,10 +661,16 @@ SSL sockets also have the following additional methods and attributes: If the ``binary_form`` parameter is :const:`True`, and a certificate was provided, this method returns the DER-encoded form of the entire certificate as a sequence of bytes, or :const:`None` if the peer did not provide a - certificate. This return value is independent of validation; if validation - was required (:const:`CERT_OPTIONAL` or :const:`CERT_REQUIRED`), it will have - been validated, but if :const:`CERT_NONE` was used to establish the - connection, the certificate, if present, will not have been validated. + certificate. Whether the peer provides a certificate depends on the SSL + socket's role: + + * for a client SSL socket, the server will always provide a certificate, + regardless of whether validation was required; + + * for a server SSL socket, the client will only provide a certificate + when requested by the server; therefore :meth:`getpeercert` will return + :const:`None` if you used :const:`CERT_NONE` (rather than + :const:`CERT_OPTIONAL` or :const:`CERT_REQUIRED`). .. versionchanged:: 3.2 The returned dictionary includes additional items such as ``issuer`` |