Our OCSP callback should use the verified peer certificate chain to find the cert issuer. It currently uses the "raw" peer certificate chain sent by the server. This requires a new PyOpenSSL feature to allow inspecting the verified peer cert chain. I've implemented this in:
https://github.com/pyca/pyopenssl/pull/894
- is related to
-
PYTHON-3132 Bump minimum pyopenssl version req to >=20
- Backlog
-
PYTHON-2936 Test Failure - test_validation_with_system_ca_certs macOS + pyOpenSSL
- Closed
- related to
-
PYTHON-2093 OCSP Support
- Closed
-
PYTHON-2140 Test PyOpenSSL support on macOS
- Closed
-
PYTHON-2144 Test OCSP support on macOS and Windows
- Closed