<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:10.0pt;
        font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
span.EmailStyle17
        {mso-style-type:personal;
        font-family:"Calibri",sans-serif;
        color:windowtext;}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri",sans-serif;
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head><body lang="EN-GB" link="blue" vlink="purple"><div class="WordSection1">
<p class="MsoNormal" style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt">
<span style="font-size:11.0pt;mso-fareast-language:EN-US">Hi all,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">First time posting here so please be gentle ;-)<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">TL;DR: After a failed handshake, caused by our peer’s certificate failing verification, what is the correct way to get hold of the peer’s certificate?<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">A little more detail:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">I’d like my server applications to be able to log some details about the client’s certificate after a failed handshake, such as CN, SAN, not-valid-before,
 and not-valid-after values.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">So, after a failed handshake, I thought should be able to call SSL_get_peer_certificate(), however I’m using python (:-) bear with me…) where in the guts
 of SSLSocket.getpeercert() the call to SSL_get_peer_certificate() isn’t even attempted if SSL_is_init_finished() is false.[1]<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Is SSL_is_init_finished() too severe a check in this case, and SSL_get_peer_certificate() would actually work fine?
<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">More detail, in case it is relevant:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">We have an internal CA, and both the server and client have certificates signed by this CA, and both trust the CA’s certificate.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">The SSLContexts on both sides have:<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">  * verify flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">  * certificate store verify flags = X509_V_FLAG_TRUSTED_FIRST | X509_V_FLAG_X509_STRICT<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Any help would be greatly appreciated.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US"> <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Best wishes,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Steven.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">  <o:p></o:p></span></p>
<p class="MsoNormal" style="margin-left:36.0pt"><span style="font-size:11.0pt;mso-fareast-language:EN-US">[1]
<a href="https://github.com/python/cpython/blob/3.7/Modules/_ssl.c#L1813">
https://github.com/python/cpython/blob/3.7/Modules/_ssl.c#L1813</a><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:36.0pt">
You'll have better luck getting the peer certificate *during* the handshake, not after.<br>
Read e. g. <a href="https://stackoverflow.com/questions/9089957/validating-client-certificates-in-pyopenssl">
https://stackoverflow.com/questions/9089957/validating-client-certificates-in-pyopenssl</a> on how to set up a verify callback function using PyOpenSSL.<br>
<br>
HTH,<br>
<br>
JJK<o:p></o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;color:#1F497D">Thanks for the pointer! Python’s standard ssl module doesn’t expose that callback (yet), and I’d rather not switch everything to PyOpenSSL, but I’ll see what I can
 do.<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;color:#1F497D">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:11.0pt;color:#1F497D">Steven.<o:p></o:p></span></p>
</div>
    <br />
    <br />
    
<br />

<span style="font-family:Arial; Font-size:10.0pt"> <hr /> <i>This email is confidential. If you are not the intended recipient, please advise us immediately and delete this message. The registered name of Cantab- part of GAM Systematic is Cantab Capital Partners LLP. See - <a href="http://www.gam.com/en/Legal/Email+disclosures+EU" target="_blank">http://www.gam.com/en/Legal/Email+disclosures+EU</a> for further information on confidentiality, the risks of non-secure electronic communication, and certain disclosures which we are required to make in accordance with applicable legislation and regulations. If you cannot access this link, please notify us by reply message and we will send the contents to you.<br /><br />GAM Holding AG and its subsidiaries (Cantab – GAM Systematic) will collect and use information about you in the course of your interactions with us. Full details about the data types we collect and what we use this for and your related rights is set out in our online privacy policy at <a href="https://www.gam.com/en/legal/privacy-policy" target="_blank">https://www.gam.com/en/legal/privacy-policy</a>. Please familiarise yourself with this policy and check it from time to time for updates as it supplements this notice<hr /> </i></span><i>


 </i></body></html>