This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author dstufft
Recipients Lukasa, alex, christian.heimes, demian.brecht, dstufft, giampaolo.rodola, icordasc, janssen, lac, nagle, pitrou
Date 2015-02-24.16:31:26
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1424795487.08.0.675510538108.issue23476@psf.upfronthosting.co.za>
In-reply-to
Content 
It appears it's not actually an issue with the CA Bundle, but I don't think it's actually an issue with Python, though Python might be in the best situation to try and fix it...

Basically, it appears that OpenSSL does not look inside the trust root for any certificate served by the server. In this case the sites have a chain that looks like A -> B -> NEW ROOT being served by the server, and NEW ROOT is also signed by OLD ROOT. If I construct the chain being sent from the server so it doens't have NEW ROOT, then everything works, but if the chain being sent from the server has NEW ROOT, then OpenSSL will only trust it if OLD ROOT is in the trust bundle. In this case Mozilla (and requests) has NEW ROOT in the trust bundle but not OLD ROOT, becuase OLD ROOT is a 1024 bit key.
History
Date User Action Args
2015-02-24 16:31:27dstufftsetrecipients: + dstufft, janssen, nagle, pitrou, giampaolo.rodola, christian.heimes, alex, icordasc, demian.brecht, Lukasa, lac
2015-02-24 16:31:27dstufftsetmessageid: <1424795487.08.0.675510538108.issue23476@psf.upfronthosting.co.za>
2015-02-24 16:31:27dstufftlinkissue23476 messages
2015-02-24 16:31:26dstufftcreate