[openssl-users] Get peer certificate after handshake failure

Steven Winfield Steven.Winfield at cantabcapital.com
Thu Jan 17 17:39:39 UTC 2019

Hi all,

First time posting here so please be gentle ;-)

TL;DR: After a failed handshake, caused by our peer’s certificate failing verification, what is the correct way to get hold of the peer’s certificate?

A little more detail:
I’d like my server applications to be able to log some details about the client’s certificate after a failed handshake, such as CN, SAN, not-valid-before, and not-valid-after values.
So, after a failed handshake, I thought should be able to call SSL_get_peer_certificate(), however I’m using python (:-) bear with me…) where in the guts of SSLSocket.getpeercert() the call to SSL_get_peer_certificate() isn’t even attempted if SSL_is_init_finished() is false.[1]

Is SSL_is_init_finished() too severe a check in this case, and SSL_get_peer_certificate() would actually work fine?

More detail, in case it is relevant:
We have an internal CA, and both the server and client have certificates signed by this CA, and both trust the CA’s certificate.
The SSLContexts on both sides have:
  * certificate store verify flags = X509_V_FLAG_TRUSTED_FIRST | X509_V_FLAG_X509_STRICT

Any help would be greatly appreciated.

Best wishes,

[1] https://github.com/python/cpython/blob/3.7/Modules/_ssl.c#L1813<https://github.com/python/cpython/blob/3.7/Modules/_ssl.c#L1813>

You'll have better luck getting the peer certificate *during* the handshake, not after.
Read e. g. https://stackoverflow.com/questions/9089957/validating-client-certificates-in-pyopenssl<https://stackoverflow.com/questions/9089957/validating-client-certificates-in-pyopenssl> on how to set up a verify callback function using PyOpenSSL.



Thanks for the pointer! Python’s standard ssl module doesn’t expose that callback (yet), and I’d rather not switch everything to PyOpenSSL, but I’ll see what I can do.

This email is confidential. If you are not the intended recipient, please advise us immediately and delete this message. 
The registered name of Cantab- part of GAM Systematic is Cantab Capital Partners LLP. 
See - http://www.gam.com/en/Legal/Email+disclosures+EU for further information on confidentiality, the risks of non-secure electronic communication, and certain disclosures which we are required to make in accordance with applicable legislation and regulations. 
If you cannot access this link, please notify us by reply message and we will send the contents to you.

GAM Holding AG and its subsidiaries (Cantab – GAM Systematic) will collect and use information about you in the course of your interactions with us. 
Full details about the data types we collect and what we use this for and your related rights is set out in our online privacy policy at https://www.gam.com/en/legal/privacy-policy. 
Please familiarise yourself with this policy and check it from time to time for updates as it supplements this notice.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190117/a8df1418/attachment-0001.html>

More information about the openssl-users mailing list