@@ -573,7 +573,7 @@ SSL sockets also have the following additional methods and attributes:
573573 If there is no certificate for the peer on the other end of the connection,
574574 returns ``None ``.
575575
576- If the parameter ``binary_form `` is :const: `False `, and a certificate was
576+ If the ``binary_form `` parameter is :const: `False `, and a certificate was
577577 received from the peer, this method returns a :class: `dict ` instance. If the
578578 certificate was not validated, the dict is empty. If the certificate was
579579 validated, it returns a dict with several keys, amongst them ``subject ``
@@ -613,10 +613,16 @@ SSL sockets also have the following additional methods and attributes:
613613 If the ``binary_form `` parameter is :const: `True `, and a certificate was
614614 provided, this method returns the DER-encoded form of the entire certificate
615615 as a sequence of bytes, or :const: `None ` if the peer did not provide a
616- certificate. This return value is independent of validation; if validation
617- was required (:const: `CERT_OPTIONAL ` or :const: `CERT_REQUIRED `), it will have
618- been validated, but if :const: `CERT_NONE ` was used to establish the
619- connection, the certificate, if present, will not have been validated.
616+ certificate. Whether the peer provides a certificate depends on the SSL
617+ socket's role:
618+
619+ * for a client SSL socket, the server will always provide a certificate,
620+ regardless of whether validation was required;
621+
622+ * for a server SSL socket, the client will only provide a certificate
623+ when requested by the server; therefore :meth: `getpeercert ` will return
624+ :const: `None ` if you used :const: `CERT_NONE ` (rather than
625+ :const: `CERT_OPTIONAL ` or :const: `CERT_REQUIRED `).
620626
621627 .. versionchanged :: 3.2
622628 The returned dictionary includes additional items such as ``issuer ``
0 commit comments