classification
Title: SystemError: returned NULL without setting an error
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.5
process
Status: closed Resolution: duplicate
Dependencies: Superseder: X509 cert with GEN_RID subject alt name causes SytemError
View: 27691
Assigned To: christian.heimes Nosy List: Matt Wright, christian.heimes
Priority: normal Keywords:

Created on 2016-09-15 15:47 by Matt Wright, last changed 2016-09-15 16:02 by Matt Wright. This issue is now closed.

Messages (3)
msg276567 - (view) Author: Matt Wright (Matt Wright) Date: 2016-09-15 15:47
I'm experiencing a strange error when connecting to a web server with a self signed certificate. I've added the Root and Intermediate certs to the system CA bundle, and can `curl` against the server without any errors or using the `k` flag. But Python (via requests) raises an error that I can't seem to figure out at all with the `peer_certificate` method. Below you'll find the specific error:

```
import requests
requests.get('https://localhost:9200/_cluster/health', verify='/etc/ssl/certs/ca-certificates.crt')
Traceback (most recent call last):
  File "test.py", line 2, in <module>
    requests.get('https://localhost:9200/_cluster/health', verify='/etc/ssl/certs/ca-certificates.crt')
  File "/usr/lib/python3/dist-packages/requests/api.py", line 67, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 560, in urlopen
    body=body, headers=headers)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 787, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 259, in connect
    cert = self.sock.getpeercert()
  File "/usr/lib/python3.5/ssl.py", line 818, in getpeercert
    return self._sslobj.getpeercert(binary_form)
  File "/usr/lib/python3.5/ssl.py", line 595, in getpeercert
    return self._sslobj.peer_certificate(binary_form)
SystemError: <built-in method peer_certificate of _ssl._SSLSocket object at 0x7f98ac154858> returned NULL without setting an error
```
msg276570 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2016-09-15 15:54
Do you happen to talk to an ElasticSearch cluster with a GEN_RID in the subject alternative name field? It's a known bug in Python's ssl code. The fix #27691 will be in the next releases of 2.7 and 3.5.

In the mean time you can work around the bug by reconfiguring your ES cluster and application. You have to use different certs for node <-> client and node <-> node communication. OID 1.2.3.4.5.5 should only be in the cluster communication certs. https://github.com/floragunncom/search-guard-docs/blob/1a35ec309661f7b8fb1efc2586fc298dcb7cb139/installation.md#generating-a-server-certificate
msg276571 - (view) Author: Matt Wright (Matt Wright) Date: 2016-09-15 16:02
Ahh! Thanks much!
History
Date User Action Args
2016-09-15 16:02:41Matt Wrightsetmessages: + msg276571
2016-09-15 15:54:28christian.heimessetstatus: open -> closed
superseder: X509 cert with GEN_RID subject alt name causes SytemError
messages: + msg276570

resolution: duplicate
stage: resolved
2016-09-15 15:47:27Matt Wrightcreate