➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2016-09-06 08:52 by lilydjwg, last changed 2022-04-11 14:58 by admin. This issue is now closed.
| Messages (5) | |||
|---|---|---|---|
| msg274542 - (view) | Author: lilydjwg (lilydjwg) * | Date: 2016-09-06 08:52 | |
This fails:
Python 3.5.2 (default, Jun 28 2016, 08:46:01)
[GCC 6.1.1 20160602] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> import socket
>>> s = socket.socket()
>>> c = ssl.create_default_context(cafile='COMODORSADomainValidationSecureServerCA.crt')
>>> s = c.wrap_socket(s, server_hostname='miaosss.top')
>>> s.connect(('miaosss.top', 443))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.5/ssl.py", line 1019, in connect
self._real_connect(addr, False)
File "/usr/lib/python3.5/ssl.py", line 1010, in _real_connect
self.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 988, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.5/ssl.py", line 633, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)
But openssl can succeed:
openssl s_client -connect miaosss.top:443 -CAfile COMODORSADomainValidationSecureServerCA.crt -servername miaosss.top
endswith "Verify return code: 0 (ok)"
Firefox and SSLlabs (https://www.ssllabs.com/ssltest/analyze.html?d=miaosss.top) both show it's trusted.
|
|||
| msg274544 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2016-09-06 09:18 | |
Yes, that is to be expected. Python does not use AIA to fetch missing certs. The server must return all intermediate certs. Browsers have workarounds and local caches, Python doesn't. Other tools like curl behave the same. |
|||
| msg274549 - (view) | Author: lilydjwg (lilydjwg) * | Date: 2016-09-06 10:28 | |
Please read my code. I've provided the CA certificate; this should work because I've downloaded the certificate manually and feed it to Python. openssl command line tool works. gnutls-cli works too. wget (with openssl) works too. curl (with openssl) fails like Python but I don't understand why. I've successfully done things like this before, but now I encounter a site that Python can't verify with the correct CA certificate (that other tools accept). |
|||
| msg274550 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2016-09-06 10:49 | |
From https://www.ssllabs.com/ssltest/analyze.html?d=miaosss.top Chain issues Incomplete Extra download COMODO RSA Domain Validation Secure Server CA Python does not support extra downloads of incomplete chains. The server must return the EE cert and all intermediate certs during the TLS handshake. You also can't pass the intermediate cert as a CA cert. It's not a trust anchor. You could load both the trust anchor and intermediate cert as CA certs (concatenate intermediate and root certs), but that is potentially dangerous. Safer way is https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_add0_chain_cert.html but Python does not have an API for SSL_CTX_add0_chain_cert(). Best solution: get the server fixed. It doesn't behave correctly. |
|||
| msg274554 - (view) | Author: lilydjwg (lilydjwg) * | Date: 2016-09-06 12:45 | |
I understand now, thank you! It's much easier to work around such issues than fix other people's sites. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:58:35 | admin | set | github: 72157 |
| 2019-09-18 03:41:32 | wumpus | set | nosy:
+ wumpus |
| 2016-09-06 12:45:21 | lilydjwg | set | messages: + msg274554 |
| 2016-09-06 10:49:31 | christian.heimes | set | messages: + msg274550 |
| 2016-09-06 10:28:22 | lilydjwg | set | messages: + msg274549 |
| 2016-09-06 09:18:50 | christian.heimes | set | status: open -> closed nosy: + christian.heimes messages: + msg274544 resolution: wont fix stage: resolved |
| 2016-09-06 08:52:17 | lilydjwg | create | |