This was originally a post at python-ideas. Now I reformat it to be more like a feature request.
Currently, Python raises SSLError with reason=CERTIFICATE_VERIFY_FAILED for all kinds of certificate verification failures. This results in difficulties in debugging SSL errors for others. (Some downstream bug reports: [1][2]) In OpenSSL, such errors are further divided into several kinds. For example, expired certificates result in X509_V_ERR_CERT_HAS_EXPIRED, and typical self-signed certificates fall into X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT. The error code can be retrieved via `SSL_get_verify_result` and human readable messages are available from `X509_verify_cert_error_string`. I hope I can get error messages like this: (Omit URLError to avoid verbose messages)
$ ./python -c 'import urllib.request; urllib.request.urlopen("https://self-signed.badssl.com/")'
Traceback (most recent call last):
File "/home/yen/Projects/cpython/Lib/urllib/request.py", line 1318, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1239, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1285, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1234, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1026, in _send_output
self.send(msg)
File "/home/yen/Projects/cpython/Lib/http/client.py", line 964, in send
self.connect()
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1400, in connect
server_hostname=server_hostname)
File "/home/yen/Projects/cpython/Lib/ssl.py", line 401, in wrap_socket
_context=self, _session=session)
File "/home/yen/Projects/cpython/Lib/ssl.py", line 808, in __init__
self.do_handshake()
File "/home/yen/Projects/cpython/Lib/ssl.py", line 1061, in do_handshake
self._sslobj.do_handshake()
File "/home/yen/Projects/cpython/Lib/ssl.py", line 683, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED: DEPTH_ZERO_SELF_SIGNED_CERT] certificate verify failed: self signed certificate (_ssl.c:752)
And for expired certificates:
$ ./python -c 'import urllib.request; urllib.request.urlopen("https://expired.badssl.com/")'
Traceback (most recent call last):
File "/home/yen/Projects/cpython/Lib/urllib/request.py", line 1318, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1239, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1285, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1234, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1026, in _send_output
self.send(msg)
File "/home/yen/Projects/cpython/Lib/http/client.py", line 964, in send
self.connect()
File "/home/yen/Projects/cpython/Lib/http/client.py", line 1400, in connect
server_hostname=server_hostname)
File "/home/yen/Projects/cpython/Lib/ssl.py", line 401, in wrap_socket
_context=self, _session=session)
File "/home/yen/Projects/cpython/Lib/ssl.py", line 808, in __init__
self.do_handshake()
File "/home/yen/Projects/cpython/Lib/ssl.py", line 1061, in do_handshake
self._sslobj.do_handshake()
File "/home/yen/Projects/cpython/Lib/ssl.py", line 683, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED: CERT_HAS_EXPIRED] certificate verify failed: certificate has expired (_ssl.c:752)
I've once tried to achieve it, but my CPython knowledge is way too limited to give a good enough patch.
[1] https://github.com/rg3/youtube-dl/issues/10574
[2] https://github.com/rg3/youtube-dl/issues/7309
|
With this change: (tested with OpenSSL git-master)
@@ -632,20 +651,22 @@ newPySSLSocket(PySSLContext *sslctx, PyS
SSL_set_bio(self->ssl, inbio->bio, outbio->bio);
}
mode = SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER;
#ifdef SSL_MODE_AUTO_RETRY
mode |= SSL_MODE_AUTO_RETRY;
#endif
SSL_set_mode(self->ssl, mode);
+ if (server_hostname != NULL) {
#if HAVE_SNI
- if (server_hostname != NULL)
SSL_set_tlsext_host_name(self->ssl, server_hostname);
#endif
+ SSL_set1_host(self->ssl, server_hostname);
+ }
/* If the socket is in non-blocking mode or timeout mode, set the BIO
* to non-blocking mode (blocking is the default)
*/
if (sock && sock->sock_timeout >= 0) {
BIO_set_nbio(SSL_get_rbio(self->ssl), 1);
BIO_set_nbio(SSL_get_wbio(self->ssl), 1);
}
When connecting to https://wrong.host.badssl.com/, the error is:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch (_ssl.c:768)
With this change in mind, an idea is to drop the Python implementation of match_hostname and rely on OpenSSL's checking mechanism (`do_x509_check`). As a result:
* ssl.CertificateError can be either an alias of ssl.SSLCertVerificationError or a subclass of it
* When verify_result is X509_V_ERR_HOSTNAME_MISMATCH, the error message is formatted with more information following the current approach in `match_hostname` ("hostname XXX doesn't match YYY...")
|