In my experiments with the relatively new class SSLObject from the ssl module I've noticed the following behavior(s) which I think can be described as bugs.

The getpeercert() method raises a ValueError exception "handshake not done" even after the handshake has successfully completed. If, however, I call the do_handshake() method *after* the handshake completes, then getpeercert() correctly runs and returns the peer's certificate. So now let's focus on do_handshake(). This method is basically undocumented, which I thought was ok because what it does should be obvious. It does seem to initiate a handshake if it's the first method call after the SSLObject is created. If called afterward, it doesn't outwardly appear to do anything, but as mentioned previously it does magically make the getpeercert() method start working.

Hi Grek,

can you provide a script to reproduce the problem, please?

Christian,

I will gladly do so a little later today. Thanks for your quick response.

--greg

On Fri, Jan 20, 2017 at 7:29 AM, Christian Heimes <report@bugs.python.org>
wrote:

>
> Christian Heimes added the comment:
>
> Hi Grek,
>
> can you provide a script to reproduce the problem, please?
>
> ----------
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue29334>
> _______________________________________
>

adding script the illustrates the bug.

Oddly, I expected to run into this with my code using SSLObject in trio [1], but if I connect to python.org:443 and then 'await trio_ssl_stream.do_handshake(); trio_ssl_stream.getpeercert()' it works just fine ... even though when I run the sslbugs.py script I get the same weird results Greg reports. As far as I can tell the logic is identical. So I guess this might potentially be useful to narrow this down :-).

Test code that works:

@trio.run
async def main():
    import trio
    sock = trio.socket.socket()
    addr = await sock.resolve_remote_address(("python.org", 443))
    await sock.connect(addr)
    s = trio.SocketStream(sock)
    client = trio.ssl.SSLStream(
        s, trio.ssl.create_default_context(), server_hostname="python.org")
    await client.do_handshake()
    print(client.getpeercert())

[1] Currently in https://github.com/python-trio/trio/pull/107, eventually will be at https://github.com/python-trio/trio/blob/master/trio/ssl.py

The issue with getpeercert() is a side-effect of your issue #30141. The peer certificate is cached in do_handshake.

New changeset 66dc33b6822be93f85d84d24d3f9159ff568fbbb by Christian Heimes in branch 'master':
bpo-29334: Fix ssl.getpeercert for auto-handshake (#1769)
https://github.com/python/cpython/commit/66dc33b6822be93f85d84d24d3f9159ff568fbbb

Also needs backport to 2.7 for #22559

Is anything holding this up for merging into 3.6 and/or 3.5?

New changeset 63b3f2b19cc96801c3b8619e4cf8aa9028e7a33c by Christian Heimes in branch '3.6':
[3.6] bpo-29334: Fix ssl.getpeercert for auto-handshake (GH-1769) (#1778)
https://github.com/python/cpython/commit/63b3f2b19cc96801c3b8619e4cf8aa9028e7a33c

The fix hasn't been ported to 2.7 yet.

The fix hasn't been ported to 2.7 yet.

Backport to 2.7 is no longer relevant, so I think this issue can be closed.

messages: + msg312886
versions: - Python 3.5, Python 3.6, Python 3.7

messages: + msg285922