{"id":11993,"date":"2026-01-26T13:56:53","date_gmt":"2026-01-26T18:56:53","guid":{"rendered":"https:\/\/www.rushworth.us\/lisa\/?p=11993"},"modified":"2026-02-06T14:10:10","modified_gmt":"2026-02-06T19:10:10","slug":"viewing-real-certificate-chain","status":"publish","type":"post","link":"https:\/\/www.rushworth.us\/lisa\/?p=11993","title":{"rendered":"Viewing *Real* Certificate Chain"},"content":{"rendered":"\n

Browsers implement AIA which “helps” by repairing the certificate chain and forming a trust even without proper server configuration. Which is great for user experience, but causes a lot of challenges to people troubleshooting SSL connection failures from devices, old equipment, etc. It’s fine<\/em> when I try it from my laptop!<\/p>\n\n\n\n

This python script reports on the real<\/em> certificate chain being served from an endpoint. Self-signed certificates will show as untrusted <\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

And public certs will show the chain and show as trusted<\/p>\n\n\n\n

\"\"<\/a><\/figure>\n\n\n\n

Code:<\/p>\n\n\n

\nimport ssl\nimport socket\nimport datetime\nimport select\n\n# Third-party modules (install: pip install pyopenssl cryptography)\ntry:\n    from OpenSSL import SSL, crypto\n    from cryptography import x509\n    from cryptography.hazmat.primitives import hashes\nexcept ImportError as e:\n    raise SystemExit(\n        "Missing required modules. Please install:\\n"\n        "  pip install pyopenssl cryptography\\n"\n        f"Import error: {e}"\n    )\n\ndef prompt(text, default=None):\n    s = input(text).strip()\n    return s if s else default\n\ndef check_trust(hostname: str, port: int, timeout=6.0):\n    """\n    Attempt a TLS connection using system trust store and hostname verification.\n    Returns (trusted: bool, message: str).\n    """\n    try:\n        ctx = ssl.create_default_context()\n        with socket.create_connection((hostname, port), timeout=timeout) as sock:\n            with ctx.wrap_socket(sock, server_hostname=hostname) as ssock:\n                # Minimal HTTP GET to ensure we fully complete the handshake\n                req = f"GET \/ HTTP\/1.1\\r\\nHost: {hostname}\\r\\nConnection: close\\r\\n\\r\\n"\n                ssock.sendall(req.encode("utf-8"))\n                _ = ssock.recv(1)\n        return True, "TRUSTED (system trust store)"\n    except ssl.SSLCertVerificationError as e:\n        return False, f"NOT TRUSTED (certificate verification error): {e}"\n    except ssl.SSLError as e:\n        return False, f"NOT TRUSTED (SSL error): {e}"\n    except Exception as e:\n        return False, f"Error connecting: {e}"\n\ndef _aware_utc(dt: datetime.datetime) -> datetime.datetime:\n    """\n    Ensure a datetime is timezone-aware in UTC. cryptography returns naive UTC datetimes.\n    """\n    if dt.tzinfo is None:\n        return dt.replace(tzinfo=datetime.timezone.utc)\n    return dt.astimezone(datetime.timezone.utc)\n\ndef _cert_to_info(cert: x509.Certificate):\n    subj = cert.subject.rfc4514_string()\n    issr = cert.issuer.rfc4514_string()\n    fp_sha1 = cert.fingerprint(hashes.SHA1()).hex().upper()\n    nb = _aware_utc(cert.not_valid_before_utc)\n    na = _aware_utc(cert.not_valid_after_utc)\n    now = datetime.datetime.now(datetime.timezone.utc)\n    delta_days = max(0, (na - now).days)\n    return {\n        "subject": subj,\n        "issuer": issr,\n        "sha1": fp_sha1,\n        "not_before": nb,\n        "not_after": na,\n        "days_to_expiry": delta_days\n    }\n\ndef _do_handshake_blocking(conn: SSL.Connection, sock: socket.socket, timeout: float):\n    """\n    Drive the TLS handshake, handling WantRead\/WantWrite by waiting with select.\n    """\n    deadline = datetime.datetime.now() + datetime.timedelta(seconds=timeout)\n    while True:\n        try:\n            conn.do_handshake()\n            return\n        except SSL.WantReadError:\n            remaining = (deadline - datetime.datetime.now()).total_seconds()\n            if remaining <= 0:\n                raise TimeoutError("TLS handshake timed out (WantRead)")\n            r, _, _ = select.select([sock], [], [], remaining)\n            if not r:\n                raise TimeoutError("TLS handshake timed out (WantRead)")\n            continue\n        except SSL.WantWriteError:\n            remaining = (deadline - datetime.datetime.now()).total_seconds()\n            if remaining <= 0:\n                raise TimeoutError("TLS handshake timed out (WantWrite)")\n            _, w, _ = select.select([], [sock], [], remaining)\n            if not w:\n                raise TimeoutError("TLS handshake timed out (WantWrite)")\n            continue\n\ndef fetch_presented_chain(hostname: str, port: int, timeout: float = 12.0):\n    """\n    Capture the presented certificate chain using pyOpenSSL.\n    Returns (chain: list of {subject, issuer, sha1, not_before, not_after, days_to_expiry}, error: str or None).\n    """\n    # TCP connect\n    try:\n        sock = socket.create_connection((hostname, port), timeout=timeout)\n        sock.settimeout(timeout)\n    except Exception as e:\n        return [], f"Error connecting: {e}"\n\n    try:\n        # TLS client context\n        ctx = SSL.Context(SSL.TLS_CLIENT_METHOD)\n\n        # Compatibility tweaks:\n        # - Lower OpenSSL security level\n        try:\n            ctx.set_cipher_list(b"DEFAULT:@SECLEVEL=1")\n        except Exception:\n            pass\n\n        # - Disable TLS 1.3 and set minimum TLS 1.2\n        try:\n            ctx.set_options(SSL.OP_NO_TLSv1_3)\n        except Exception:\n            pass\n        try:\n            # Ensure TLSv1.2+ (pyOpenSSL exposes set_min_proto_version on some builds)\n            if hasattr(ctx, "set_min_proto_version"):\n                ctx.set_min_proto_version(SSL.TLS1_2_VERSION)\n        except Exception:\n            pass\n\n        # - Set ALPN to http\/1.1 (some paths work better when ALPN is present)\n        try:\n            ctx.set_alpn_protos([b"http\/1.1"])\n        except Exception:\n            pass\n\n        conn = SSL.Connection(ctx, sock)\n        conn.set_tlsext_host_name(hostname.encode("utf-8"))\n        conn.set_connect_state()\n\n        # Blocking mode (best effort)\n        try:\n            conn.setblocking(True)\n        except Exception:\n            pass\n\n        # Drive handshake\n        _do_handshake_blocking(conn, sock, timeout=timeout)\n\n        # Retrieve chain (some servers only expose leaf)\n        chain = conn.get_peer_cert_chain()\n        infos = []\n        if chain:\n            for c in chain:\n                der = crypto.dump_certificate(crypto.FILETYPE_ASN1, c)\n                cert = x509.load_der_x509_certificate(der)\n                infos.append(_cert_to_info(cert))\n        else:\n            peer = conn.get_peer_certificate()\n            if peer is not None:\n                der = crypto.dump_certificate(crypto.FILETYPE_ASN1, peer)\n                cert = x509.load_der_x509_certificate(der)\n                infos.append(_cert_to_info(cert))\n\n        # Cleanup\n        try:\n            conn.shutdown()\n        except Exception:\n            pass\n        finally:\n            try:\n                conn.close()\n            except Exception:\n                pass\n            try:\n                sock.close()\n            except Exception:\n                pass\n\n        if not infos:\n            return [], "No certificates captured (server did not present a chain and peer cert unavailable)"\n        return infos, None\n\n    except Exception as e:\n        try:\n            sock.close()\n        except Exception:\n            pass\n        etype = type(e).__name__\n        emsg = str(e) or "no message"\n        return [], f"TLS handshake or chain retrieval error: {etype}: {emsg}"\n\ndef main():\n    hostname = prompt("Enter hostname to test (e.g., example.domain.com): ")\n    if not hostname:\n        print("Hostname is required.")\n        return\n    port_str = prompt("Enter port [default 443]: ", "443")\n    try:\n        port = int(port_str)\n    except ValueError:\n        print("Invalid port.")\n        return\n\n    print(f"\\nTesting TLS chain for {hostname}:{port} ...")\n    chain, err = fetch_presented_chain(hostname, port)\n    print("\\nPresented chain:")\n    if err:\n        print(f"  [ERROR] {err}")\n    elif not chain:\n        print("  [No certificates captured]")\n    else:\n        for i, ci in enumerate(chain, 1):\n            print(f"  [{i}] Subject: {ci['subject']}")\n            print(f"       Issuer:  {ci['issuer']}")\n            print(f"       SHA1:    {ci['sha1']}")\n            nb_val = ci.get("not_before")\n            na_val = ci.get("not_after")\n            nb_str = nb_val.isoformat() if isinstance(nb_val, datetime.datetime) else str(nb_val)\n            na_str = na_val.isoformat() if isinstance(na_val, datetime.datetime) else str(na_val)\n            print(f"       Not Before: {nb_str}")\n            print(f"       Not After:  {na_str}")\n            dte = ci.get("days_to_expiry")\n            if dte is not None:\n                print(f"       Expires In: {dte} days")\n\n    trusted, msg = check_trust(hostname, port)\n    print(f"\\nTrust result: {'TRUSTED' if trusted else 'NOT TRUSTED'} - {msg}")\n\nif __name__ == "__main__":\n    main()\n<\/pre><\/div>","protected":false},"excerpt":{"rendered":"
Browsers implement AIA which “helps” by repairing the certificate chain and forming a trust even without proper server configuration. Which is great for user experience, but causes a lot of challenges to people troubleshooting SSL connection failures from devices, old equipment, etc. It’s fine when I try it from my laptop! This python script reports …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[30],"tags":[664,236,2171],"class_list":["post-11993","post","type-post","status-publish","format-standard","hentry","category-system-administration","tag-python","tag-ssl","tag-trust-chains"],"_links":{"self":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11993","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11993"}],"version-history":[{"count":1,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11993\/revisions"}],"predecessor-version":[{"id":11997,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=\/wp\/v2\/posts\/11993\/revisions\/11997"}],"wp:attachment":[{"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11993"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11993"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.rushworth.us\/lisa\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11993"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}