Message245853
| Author |
christian.heimes |
| Recipients |
christian.heimes, docs@python, messa |
| Date |
2015年06月26日.13:29:40 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1435325380.68.0.467720873084.issue24516@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
Python uses serverAuth and clientAuth in the exact same meaning as EKU (extended key usage). In order to create X.509 cert for a web server, it should have EKU "SSL/TLS Web Server Authentication". On the other hand a client must validate the cert for a specific purpose, too. So the client creates a context with purpose SERVER_AUTH. This loads only trust anchors which are flagged with EKU "SSL/TLS Web Server Authentication".
For TLS/SSL server it is the other way around. The server side uses a context with CLIENT_AUTH to load only root certs that can validate client certs. Other purposes aren't supported because Python's ssl does neither support S/MIME nor code signing.
https://docs.python.org/2/library/ssl.html#ssl.SSLContext.load_default_certs explains the purpose flags, too. |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2015年06月26日 13:29:40 | christian.heimes | set | recipients:
+ christian.heimes, docs@python, messa |
| 2015年06月26日 13:29:40 | christian.heimes | set | messageid: <1435325380.68.0.467720873084.issue24516@psf.upfronthosting.co.za> |
| 2015年06月26日 13:29:40 | christian.heimes | link | issue24516 messages |
| 2015年06月26日 13:29:40 | christian.heimes | create |
|