Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: add functionality to retrieve the the server certificate in a client request #2816

Open
obeleh opened this issue Mar 8, 2018 · 8 comments · May be fixed by #7181
Open

Feature request: add functionality to retrieve the the server certificate in a client request #2816

obeleh opened this issue Mar 8, 2018 · 8 comments · May be fixed by #7181

Comments

@obeleh
Copy link

obeleh commented Mar 8, 2018
edited

Rationale

This request is related to this SO Question where I asked whether or not it is possible to get the peer certificate when running a client request.

It is quite logical that the implemented hack is not going to be supported. I do, however, have use-cases in which it is required to retrieve the peer certificate. And I was hoping on working together to find a clean solution.

In protocols like Kerberos and NTLM the server certificate is used in followup steps of the authentication protocol.

A possible solution

If there is a better solution that would be great as well. Just trying to offer something workable

An extra parameter like retrieve_peer_certificate to the method aiohttp.Client._request which is default False and would make sure that a property like peer_certificate would be set in the response object. It would it be possible internally use a _get_transport that would return the SSLSocket if the connection is SSL/TLS on which you would be able to call getpeercert
@hubo1016
Copy link
Contributor

Maybe add a getpeercert() method is enough.

@asvetlov
Copy link
Member

Unfortunately no.

  1. Peer cert can be retrieved in two forms: binary and dict.
  2. Peer name could be interested in case of rotating DNS
  3. Used cipher and other SSL options list selected ALPN/NPN protocols are also very important in some cases.

@hubo1016
Copy link
Contributor

@asvetlov Maybe we can expose the underlying socket (SSLSocket) object from a specified interface? They can be useful in many ways.

@aio-libs-bot aio-libs-bot mentioned this issue Nov 2, 2018
Closed
@blark
Copy link

blark commented May 28, 2019

This feature would be very useful!

@asvetlov
Copy link
Member

This feature would be very useful!

I definitely agree.

There are five SSL related things available by transport.get_extra_info(): peercert, cipher, compression, ssl_object.

Honestly, I have no idea are they valid and available after the transport closing and SSLObject shutting down.
Would somebody come with a test and investigate?

@auxsvr
Copy link

auxsvr commented Jan 14, 2023

I can retrieve the certificate on aiohttp 3.8.3 with:

async with aiohttp.ClientSession() as session:
    r = await session.get('https://bbc.com')
    cert = r.connection.transport.get_extra_info('peercert')

so this looks resolved to me.

@auxsvr
Copy link

auxsvr commented Jan 21, 2023

I think this should be reopened, as the connection is closed in client_reqrep.ClientResponse._response_eof and the third line may execute after that, which will make the code above fail. After a little testing, the proper solution seems to be to add ClientResponse.certificate and populate it inside _response_eof, if the connection is still valid. Should I prepare a PR for this?

@Dreamsorcerer Dreamsorcerer reopened this Jan 22, 2023
@Dreamsorcerer
Copy link
Member

Should I prepare a PR for this?

Sure, we can take a look.

auxsvr added a commit to auxsvr/aiohttp that referenced this issue Jan 23, 2023
@auxsvr
Add ClientResponse.certificate and populate it, if appropriate
f2aa134 
Fixes aio-libs#2816.
auxsvr added a commit to auxsvr/aiohttp that referenced this issue Jan 23, 2023
@auxsvr
Add ClientResponse.certificate and populate it, if appropriate
326a679 
Fixes aio-libs#2816.
@auxsvr auxsvr linked a pull request Jan 23, 2023 that will close this issue
Open
5 tasks
auxsvr added a commit to auxsvr/aiohttp that referenced this issue Jan 25, 2023
@auxsvr
Add ClientResponse.certificate and populate it, if appropriate
e15402e 
Fixes aio-libs#2816.
auxsvr added a commit to auxsvr/aiohttp that referenced this issue Jan 27, 2023
@auxsvr
Add ClientResponse.certificate and populate it, if appropriate
85a6d61 
Fixes aio-libs#2816.
auxsvr added a commit to auxsvr/aiohttp that referenced this issue Jan 28, 2023
@auxsvr
Add ClientResponse.certificate and populate it, if appropriate
f2ef428 
Fixes aio-libs#2816.
auxsvr added a commit to auxsvr/aiohttp that referenced this issue Feb 8, 2023
@auxsvr
Add ClientResponse.certificate and populate it, if appropriate
c15b6f0 
Fixes aio-libs#2816.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ClientResponse.certificate and populate it, if appropriate auxsvr/aiohttp
6 participants
@obeleh @asvetlov @blark @auxsvr @Dreamsorcerer @hubo1016