This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Python 3.5.1 fails at HTTPSTest with SSL CERT error
Type: behavior Stage:
Components: Tests Versions: Python 3.5
Status: closed Resolution: out of date
Dependencies: Superseder: SSL tests failed due to expired SSL certificate
View: 25940
Assigned To: Nosy List: Bennet Fauber, alex, christian.heimes, dstufft, giampaolo.rodola, janssen, martin.panter, pitrou
Priority: normal Keywords:

Created on 2016-05-11 19:23 by Bennet Fauber, last changed 2022-04-11 14:58 by admin. This issue is now closed.

File name Uploaded Description Edit Bennet Fauber, 2016-05-11 19:23 script used to replicate error outside of make test
Messages (3)
msg265339 - (view) Author: Bennet Fauber (Bennet Fauber) Date: 2016-05-11 19:23
I downloaded the source tar file for Python 3.5.1 and compiled.  Upon running make test, it fails at

test_networked_good_cert (test_httplib.HTTPSTest) ... ERROR

Abbreviated Traceback looks like:

ERROR: test_networked_good_cert (test_httplib.HTTPSTest)
Traceback (most recent call last):
  File "/tmp/bennet/Python-3.5.1/Lib/test/", line 1325, in test_networked_good_cert
    h.request('GET', '/')
. . . .
  File "/tmp/local/python-3.5.1/lib/python3.5/", line 628, in do_handshake
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

I have replicated this on CentOS 7, RHEL 6.5, and Ubuntu 16.04 Xenial with GCC versions 4.8.5, 4.8.5, and 5.3.1, respectively.

There was a previous bug reported about expired certificates that was closed.  It appears that it's using CERT_localhost, defined at the top to be keycert.pem, and that appears to be valid:

[bennet@flux-build-centos7-dev test]$ openssl x509 -in keycert.pem -text
        Version: 3 (0x2)
        Serial Number: 15548457918976213582 (0xd7c7381919afc24e)
. . . .
            Not Before: Oct  8 23:01:56 2010 GMT
            Not After : Oct  5 23:01:56 2020 GMT

I can replicate the test outside of make with the attached script.

I tried to be complete reporting and searching for this first; I apologize if I missed an obvious solution.
msg265348 - (view) Author: Bennet Fauber (Bennet Fauber) Date: 2016-05-11 20:32
Just for the sake of completeness, I tested outside of the test harness.

[bennet@flux-build-centos7-dev test]$ python3
Python 3.5.1 (default, May 11 2016, 08:50:05) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import http.client
>>> conn = http.client.HTTPSConnection("")
>>> conn.request("GET", "/")
>>> r1 = conn.getresponse()
>>> print(r1.status, r1.reason)
200 OK

I think that indicates that it can do certificate verification of some sort and might be an indication that the issue is not with the setup but with the test.  There was some discussion of making the tests independent of connectivity in Issue25940.

There are a couple of expired certs in the test directory, but they may not be used; e.g.,

            Not After : Sep 20 23:59:59 2012 GMT
            Not After : Feb 17 23:59:59 2014 GMT

I should have included this in the first submission.  Sorry for any additional mail this may generate.
msg265439 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-05-13 02:46
After 3.5.1 was released, there were some SSL certificate changes with a server (ab)used in the test suite. See Issue 25940. The result was that I changed some tests over to use the server, and I had to enable the CA flag in its certificate (

A workaround might be to grab the updated Lib/test/selfsigned_pythontestdotnet.pem file, and perhaps some of the other changes made in Issue 25940 if necessary.
Date User Action Args
2022-04-11 14:58:30adminsetgithub: 71190
2016-05-13 02:47:35martin.pantersetcomponents: + Tests, - Extension Modules
2016-05-13 02:46:12martin.pantersetstatus: open -> closed

nosy: + martin.panter
messages: + msg265439

superseder: SSL tests failed due to expired SSL certificate
resolution: out of date
2016-05-11 20:40:12SilentGhostsetnosy: + janssen, pitrou, giampaolo.rodola, christian.heimes, alex, dstufft
type: compile error -> behavior
components: + Extension Modules, - Build
2016-05-11 20:32:19Bennet Faubersetmessages: + msg265348
2016-05-11 19:23:16Bennet Faubercreate