This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author yan12125
Recipients alex, christian.heimes, dstufft, janssen, yan12125
Date 2016-09-16.15:06:42
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1474038403.65.0.643451535386.issue28182@psf.upfronthosting.co.za>
In-reply-to
Content 
This was originally a post at python-ideas. Now I reformat it to be more like a feature request.

Currently, Python raises SSLError with reason=CERTIFICATE_VERIFY_FAILED for all kinds of certificate verification failures. This results in difficulties in debugging SSL errors for others. (Some downstream bug reports: [1][2]) In OpenSSL, such errors are further divided into several kinds. For example, expired certificates result in X509_V_ERR_CERT_HAS_EXPIRED, and typical self-signed certificates fall into X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. The error code can be retrieved via `SSL_get_verify_result` and human readable messages are available from `X509_verify_cert_error_string`. I hope I can get error messages like this: (Omit URLError to avoid verbose messages)

$ ./python -c 'import urllib.request; urllib.request.urlopen("https://self-signed.badssl.com/")'
Traceback (most recent call last):
  File "/home/yen/Projects/cpython/Lib/urllib/request.py", line 1318, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 964, in send
    self.connect()
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1400, in connect
    server_hostname=server_hostname)
  File "/home/yen/Projects/cpython/Lib/ssl.py", line 401, in wrap_socket
    _context=self, _session=session)
  File "/home/yen/Projects/cpython/Lib/ssl.py", line 808, in __init__
    self.do_handshake()
  File "/home/yen/Projects/cpython/Lib/ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "/home/yen/Projects/cpython/Lib/ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED: DEPTH_ZERO_SELF_SIGNED_CERT] certificate verify failed: self signed certificate (_ssl.c:752)

And for expired certificates:

$ ./python -c 'import urllib.request; urllib.request.urlopen("https://expired.badssl.com/")'
Traceback (most recent call last):
  File "/home/yen/Projects/cpython/Lib/urllib/request.py", line 1318, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 964, in send
    self.connect()
  File "/home/yen/Projects/cpython/Lib/http/client.py", line 1400, in connect
    server_hostname=server_hostname)
  File "/home/yen/Projects/cpython/Lib/ssl.py", line 401, in wrap_socket
    _context=self, _session=session)
  File "/home/yen/Projects/cpython/Lib/ssl.py", line 808, in __init__
    self.do_handshake()
  File "/home/yen/Projects/cpython/Lib/ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "/home/yen/Projects/cpython/Lib/ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED: CERT_HAS_EXPIRED] certificate verify failed: certificate has expired (_ssl.c:752)

I've once tried to achieve it, but my CPython knowledge is way too limited to give a good enough patch.

[1] https://github.com/rg3/youtube-dl/issues/10574
[2] https://github.com/rg3/youtube-dl/issues/7309
History
Date User Action Args
2016-09-16 15:06:43yan12125setrecipients: + yan12125, janssen, christian.heimes, alex, dstufft
2016-09-16 15:06:43yan12125setmessageid: <1474038403.65.0.643451535386.issue28182@psf.upfronthosting.co.za>
2016-09-16 15:06:43yan12125linkissue28182 messages
2016-09-16 15:06:42yan12125create