Issue29065
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2016-12-24 22:28 by ugultopu, last changed 2022-04-11 14:58 by admin. This issue is now closed.
Messages (3) | |||
---|---|---|---|
msg283976 - (view) | Author: Utku Gultopu (ugultopu) | Date: 2016-12-24 22:28 | |
It seems like ssl module is not working for me: (virtualenv) user@host:~$ python Python 3.6.0 (v3.6.0:41df79263a11, Dec 22 2016, 17:23:13) [GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> import socket >>> context = ssl.create_default_context() >>> conn = context.wrap_socket(socket.socket(socket.AF_INET), server_hostname="www.python.org") >>> conn.connect(("www.python.org", 443)) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 1093, in connect self._real_connect(addr, False) File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 1084, in _real_connect self.do_handshake() File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 1061, in do_handshake self._sslobj.do_handshake() File "/Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/ssl.py", line 683, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749) >>> It seems like a problem with OpenSSL in Sierra itself. Because the following command does not work either: (virtualenv) user@host:~$ openssl s_client -connect www.python.org:443 CONNECTED(00000003) depth=1 /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA 1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIIWjCCB0KgAwIBAgIQCXCW7BLw16II/CMOsOFe/jANBgkqhkiG9w0BAQsFADB1 MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMTQwMgYDVQQDEytEaWdpQ2VydCBTSEEyIEV4dGVuZGVk IFZhbGlkYXRpb24gU2VydmVyIENBMB4XDTE2MDYyOTAwMDAwMFoXDTE4MDkyNzEy MDAwMFowgfgxHTAbBgNVBA8TFFByaXZhdGUgT3JnYW5pemF0aW9uMRMwEQYLKwYB BAGCNzwCAQMTAlVTMRkwFwYLKwYBBAGCNzwCAQITCERlbGF3YXJlMRAwDgYDVQQF EwczMzU5MzAwMRQwEgYDVQQJEwsxNiBBbGxlbiBSZDETMBEGA1UEERMKMDM4OTQt NDgwMTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAk5IMRIwEAYDVQQHEwlXb2xmZWJv cm8xIzAhBgNVBAoTGlB5dGhvbiBTb2Z0d2FyZSBGb3VuZGF0aW9uMRcwFQYDVQQD Ew53d3cucHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AMpgUlIza25mor2AW20yRs8uHtRJs0kXpMF2zATQjhYAgfpqjoKugoWBlMrLCFQj G/Aq8W7pT4WWHCb9Nv2QGdnIEapxi5HSfxc3b1HIRmJDdfxsc2Y4dATfgzIS4wNw jDM9tmYcMZMKZVdW4WxurQIka8r3tBFP944yAllRn8uuFVXSDYALkZOiiWxuMYKA q40hYrDhWO53uKk23HNBo5Kgfvcj3t0ZcMSkzekClxyxgyS1nnkNWIdEEMCP/FFU UXrQt0MEtkmfc++6Ps2SEiHL2T4MEqY8eE0ss6Mvmt+yzy8QsZOArrpxv7l8OwBO 5yB0LU3ByoQan1O/upeNclkCAwEAAaOCBGAwggRcMB8GA1UdIwQYMBaAFD3TUKXW oK3u80pgCmXTIdT4+NYPMB0GA1UdDgQWBBTL2ztKcGS38IxHEASJaOzwHuUqljCC AQsGA1UdEQSCAQIwgf+CDnd3dy5weXRob24ub3Jngg9kb2NzLnB5dGhvbi5vcmeC D2J1Z3MucHl0aG9uLm9yZ4IPd2lraS5weXRob24ub3Jngg1oZy5weXRob24ub3Jn gg9tYWlsLnB5dGhvbi5vcmeCD3B5cGkucHl0aG9uLm9yZ4IUcGFja2FnaW5nLnB5 dGhvbi5vcmeCEGxvZ2luLnB5dGhvbi5vcmeCEmRpc2N1c3MucHl0aG9uLm9yZ4IM dXMucHljb24ub3JnggdweXBpLmlvggxkb2NzLnB5cGkuaW+CCHB5cGkub3Jngg1k b2NzLnB5cGkub3Jngg9kb25hdGUucHlwaS5vcmcwDgYDVR0PAQH/BAQDAgWgMB0G A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB1BgNVHR8EbjBsMDSgMqAwhi5o dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEuY3JsMDSg MqAwhi5odHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc2hhMi1ldi1zZXJ2ZXItZzEu Y3JsMEsGA1UdIAREMEIwNwYJYIZIAYb9bAIBMCowKAYIKwYBBQUHAgEWHGh0dHBz Oi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwBwYFZ4EMAQEwgYgGCCsGAQUFBwEBBHww ejAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMFIGCCsGAQUF BzAChkZodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRTSEEyRXh0 ZW5kZWRWYWxpZGF0aW9uU2VydmVyQ0EuY3J0MAwGA1UdEwEB/wQCMAAwggF9Bgor BgEEAdZ5AgQCBIIBbQSCAWkBZwB2AKS5CZC0GFgUh7sTosxncAo8NZgE+RvfuON3 zQ7IDdwQAAABVkgj4a8AAAQDAEcwRQIhAMhsxamO6hrRjfNmH4Yj/cnJo72cmTHm rSlEi0FHilNtAiB/tDiULYh6rf9H5eKmrV8PRsvFNSflBsQIIF1VejnWrwB2AGj2 mPgfZIK+OozuuSgdTPxxUV1nk9RE0QpnrLtPT/vEAAABVkgj4XYAAAQDAEcwRQIg Ygh+rvtk2KQd2CRaM+whfGgc6waZACSMgwzYVmOZr9sCIQDGs78IDIoPZhNBGfIK xXQdq8DwAjahQboXeJWx/AfAxQB1AFYUBpov18Ls0/XhvUSyPsdGdrm8mRFcwO+U mFXWidDdAAABVkgj4dkAAAQDAEYwRAIgMOOdrhZ0280XsmWuLt7fcFnwtRIu42j7 WmRrQ2NlJLUCIG5Z6vzlhvFNIhN67A0G/hrRH7hzJ13/elILZcjZYJQqMA0GCSqG SIb3DQEBCwUAA4IBAQCuDt1T9tBxAVYp2u10uONL6FTHQlgguQCiN5ANmjp6dUAq 2I1nCgZB9nxhGUFOsdiQ5DFDgJ0xTAgwF4nWAyXEHKjyacoaUOh3Zq7A62r5+0eE P3XDNKIN2TWF3+djFneND/uqqpDGo2bMdcm9l0dvktUP9xQXIZBBkOMJZfXSxh0/ 7H+bDizx+bq/5Dwv97fs770UCz5LqGRuIUaZQvBQblsP5QoBaKEYW5Hsmfu9FWbW 0qreV7KHFp7ONBSKFUefbG0Q37O8oTPr7JnMxTvdUcthJOLcN9IHo2StTzv3Wru0 5njv0zLw7zwePKc9YJ1YBLmLj7vPxyy/XoW8+8hI -----END CERTIFICATE----- subject=/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=3359300/street=16 Allen Rd/postalCode=03894-4801/C=US/ST=NH/L=Wolfeboro/O=Python Software Foundation/CN=www.python.org issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 Extended Validation Server CA --- No client certificate CA names sent --- SSL handshake has read 3524 bytes and written 456 bytes --- New, TLSv1/SSLv3, Cipher is AES128-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : AES128-SHA Session-ID: 239A88888D772216EDDD8C204996A901BAD27D50B929E6A626955472456077B6 Session-ID-ctx: Master-Key: FB1EAC13FFD2F42DA5BF0364E3A08A869DD129389374416B6574F6D852692888F991B79027143A81963FA7594FFB85BD Key-Arg : None Start Time: 1482618121 Timeout : 300 (sec) Verify return code: 0 (ok) --- Connecting to `www.python.org` (or any other secure site) works on web browsers. Also, `DigiCert High Assurance EV Root CA` exists in the System Roots section of Keychain. I guess the problem might be that ssl module does not use the Keychain, like `openssl` command. Regards |
|||
msg283984 - (view) | Author: Ned Deily (ned.deily) * | Date: 2016-12-25 03:11 | |
From the output you supplied, you appear to be using Python 3.6.0 from the python.org macOS binary installer. Please read the ReadMe.rtf file for the installer which should have been displayed when you installed Python 3.6; a copy of it is also installed in /Applications/Python 3.6. You can read it by double-clicking on the icon in the Finder or by entering the following shell command: open "/Applications/Python 3.6/ReadMe.rtf" In it, the section on "Certificate verification and OpenSSL" notes that, as of the 3.6.0 installer, the Python supplied no longer links with the deprecated Apple-supplied system OpenSSL libraries but rather supplies a private copy of OpenSSL 1.0.2 which does not automatically access the system default root certificates. "For 3.6.0, a sample command script is included in /Applications/Python 3.6 to install a curated bundle of default root certificates from the third-party certifi package (https://pypi.python.org/pypi/certifi). If you choose to use certifi, you should consider subscribing to the project's email update service to be notified when the certificate bundle is updated." You can run the command script by double-clicking on it or by entering the shell command: open "/Applications/Python 3.6/Install Certificates.command" If necessary, you can adapt the script for other options rather than using the certifi-supplied bundle. For later releases, other standard options will likely be provided. I don't understand your comment that using the system openssl command doesn't work, e.g. "openssl s_client -connect www.python.org:443". The output you supply appears to show it working as expected. But, in any case, that's not relevant to the Python 3.6 usage as different OpenSSL versions and libraries are being used. Also note that this description only applies to the Python 3.6 supplied by the python.org macOS installer. mscOS Pythons supplied by third-party distributors likely link with each distributor's version of OpenSSL and follow their root certificate policies. |
|||
msg283985 - (view) | Author: Ned Deily (ned.deily) * | Date: 2016-12-25 03:33 | |
I've also added a note to the release downloads "Notes on this release" section: "macOS users: If you are using the Python 3.6 from the python.org binary installer linked on this page, please carefully read the Important Information displayed during installation; this information is also available after installation by clicking on /Applications/Python 3.6/ReadMe.rtf. There is important information there about changes in the 3.6.0 installer-supplied Python, particularly with regard to SSL certificate validation." |
History | |||
---|---|---|---|
Date | User | Action | Args |
2022-04-11 14:58:41 | admin | set | github: 73251 |
2016-12-25 03:33:40 | ned.deily | set | messages: + msg283985 |
2016-12-25 03:11:29 | ned.deily | set | status: open -> closed messages: + msg283984 assignee: christian.heimes -> resolution: not a bug stage: resolved |
2016-12-24 22:28:08 | ugultopu | create |