Message 115172 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pitrou
Recipients	exarkun, giampaolo.rodola, janssen, pitrou
Date	2010-08-28.21:01:49
SpamBayes Score	5.262346e-12
Marked as misclassified	No
Message-id	<1283029306.3325.3.camel@localhost.localdomain>
In-reply-to	<1283023143.92.0.0739229876484.issue9706@psf.upfronthosting.co.za>

Content
> SSLError: _ssl.c:296: Both the key & certificate files must be > specified for server-side operation > > I would change this behavior in SSLSocket constructor and raise > ValueError if server_side is True and certfile is None. Good idea. > Also, the message coming from the C code should be adjusted to state > than keyfile argument is not mandatory. The message is arguably technically correct: you need both a (private) key and a certificate. It's simply that they can be put in the same file. > >>> s = ssl.wrap_socket(socket.socket(), server_side=1) > >>> s.connect(('blogger.com', 443)) > >>> > > For consistency I would expect something like ValueError("can't > connect in server-side mode") on connect(). Indeed. > ssl.SSLError: [Errno 336445442] _ssl.c:1604: error:140DC002:SSL > routines:SSL_CTX_use_certificate_chain_file:system lib > >>> > > A simple "IOError No such file or directory 'xxx'" exception would be > a lot more clear. Agreed, but the OpenSSL error reporting system looks too convoluted (or braindead) to easily allow such aliasing of errors. If you have an idea, don't hesitate to share :) > ssl.SSLError: [Errno 336445449] _ssl.c:1604: error:140DC009:SSL > routines:SSL_CTX_use_certificate_chain_file:PEM lib > >>> > > If possible, the error should be more clear about what happened. > Something like "malformed certfile was provided" or something. Same as above: the error message and numeric code come from OpenSSL, not from us.

> SSLError: _ssl.c:296: Both the key & certificate files must be
> specified for server-side operation
> 
> I would change this behavior in SSLSocket constructor and raise
> ValueError if server_side is True and certfile is None.

Good idea.

> Also, the message coming from the C code should be adjusted to state
> than keyfile argument is not mandatory.

The message is arguably technically correct: you need both a (private)
key and a certificate. It's simply that they can be put in the same
file.

> >>> s = ssl.wrap_socket(socket.socket(), server_side=1)
> >>> s.connect(('blogger.com', 443))
> >>> 
> 
> For consistency I would expect something like ValueError("can't
> connect in server-side mode") on connect().

Indeed.

> ssl.SSLError: [Errno 336445442] _ssl.c:1604: error:140DC002:SSL
> routines:SSL_CTX_use_certificate_chain_file:system lib
> >>> 
> 
> A simple "IOError No such file or directory 'xxx'" exception would be
> a lot more clear.

Agreed, but the OpenSSL error reporting system looks too convoluted (or
braindead) to easily allow such aliasing of errors. If you have an idea,
don't hesitate to share :)

> ssl.SSLError: [Errno 336445449] _ssl.c:1604: error:140DC009:SSL
> routines:SSL_CTX_use_certificate_chain_file:PEM lib
> >>> 
> 
> If possible, the error should be more clear about what happened.
> Something like "malformed certfile was provided" or something.

Same as above: the error message and numeric code come from OpenSSL, not
from us.

History
Date	User	Action	Args
2010-08-28 21:01:51	pitrou	set	recipients: + pitrou, exarkun, janssen, giampaolo.rodola
2010-08-28 21:01:49	pitrou	link	issue9706 messages
2010-08-28 21:01:49	pitrou	create