如果您仅想获取CN或其他证书详细信息,那么无论证书验证成功与否,都必须禁用验证。不幸的是sock.getpeercert()
,设计简单的遗嘱只有在禁用证书验证后才返回空字典。这就是为什么必须使用它sock.getpeercert(True)
来获取证书的二进制表示并使用OpenSSL.crypto从中提取CN的原因:
import socket
import ssl
import OpenSSL.crypto as crypto
dst = ('cds.ca',443)
s = socket.socket(socket.AF_INET, socket.soCK_STREAM)
s.connect(dst)
# upgrade the socket to SSL without checking the certificate
# !!!! don't transfer any sensitive data over this socket !!!!
ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.verify_mode = ssl.CERT_NONE
s = ctx.wrap_socket(s, server_hostname=dst[0])
# get certificate
cert_bin = s.getpeercert(True)
x509 = crypto.load_certificate(crypto.FILETYPE_ASN1,cert_bin)
print("CN=" + x509.get_subject().CN)