Issue #10022: The dictionary returned by the `getpeercert()` method
of SSL sockets now has additional items such as `issuer` and `notBefore`.
diff --git a/Doc/library/ssl.rst b/Doc/library/ssl.rst
index 57a17bc..39d1cfe 100644
--- a/Doc/library/ssl.rst
+++ b/Doc/library/ssl.rst
@@ -433,11 +433,9 @@
certificate was not validated, the dict is empty. If the certificate was
validated, it returns a dict with the keys ``subject`` (the principal for
which the certificate was issued), and ``notAfter`` (the time after which the
- certificate should not be trusted). The certificate was already validated,
- so the ``notBefore`` and ``issuer`` fields are not returned. If a
- certificate contains an instance of the *Subject Alternative Name* extension
- (see :rfc:`3280`), there will also be a ``subjectAltName`` key in the
- dictionary.
+ certificate should not be trusted). If a certificate contains an instance
+ of the *Subject Alternative Name* extension (see :rfc:`3280`), there will
+ also be a ``subjectAltName`` key in the dictionary.
The "subject" field is a tuple containing the sequence of relative
distinguished names (RDNs) given in the certificate's data structure for the
@@ -459,6 +457,10 @@
been validated, but if :const:`CERT_NONE` was used to establish the
connection, the certificate, if present, will not have been validated.
+ .. versionchanged:: 3.2
+ The returned dictionary includes additional items such as ``issuer``
+ and ``notBefore``.
+
.. method:: SSLSocket.cipher()
Returns a three-value tuple containing the name of the cipher being used, the