如果您仅想获取CN或其他证书详细信息,那么无论证书验证成功与否,都必须禁用验证。不幸的是
sock.getpeercert(),设计简单的遗嘱只有在禁用证书验证后才返回空字典。这就是为什么必须使用它
sock.getpeercert(True)来获取证书的二进制表示并使用OpenSSL.crypto从中提取CN的原因:
import socketimport sslimport OpenSSL.crypto as cryptodst = ('cds.ca',443)s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)s.connect(dst)# upgrade the socket to SSL without checking the certificate# !!!! don't transfer any sensitive data over this socket !!!!ctx = ssl.create_default_context()ctx.check_hostname = Falsectx.verify_mode = ssl.CERT_NonEs = ctx.wrap_socket(s, server_hostname=dst[0])# get certificatecert_bin = s.getpeercert(True)x509 = crypto.load_certificate(crypto.FILETYPE_ASN1,cert_bin)print("CN=" + x509.get_subject().CN)
