This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: ssl.get_server_certificate fails with openssl 1.1.0 but works with 1.0.2g for self-signed certificate
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.6
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Segev Finer, christian.heimes, dsanghan
Priority: normal Keywords:

Created on 2018-06-08 12:59 by dsanghan, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (5)
msg319059 - (view) Author: Dev Sanghani (dsanghan) Date: 2018-06-08 12:59
Output from Python3.5 with OpenSSL 1.0.2g:
>>> ssl.get_server_certificate(('mail.mani.pt', 993), ssl.PROTOCOL_TLSv1)
'-----BEGIN CERTIFICATE-----\nMIIDdDCCAlygAwIBAgIILeR0neMYiyUwDQYJKoZIhvcNAQEFBQAwSzELMAkGA1UE\nBhMCUFQxJTAjBgNVBAoTHE1BTkkgSU5kdXN0cmlhcyBQbGFzdGljYXMgU0ExFTAT\nBgNVBAMTDG1haWwubWFuaS5wdDAeFw0xODAxMjIxNDA3MDVaFw0yMjAxMjMxNDA3\nMDVaMEsxCzAJBgNVBAYTAlBUMSUwIwYDVQQKExxNQU5JIElOZHVzdHJpYXMgUGxh\nc3RpY2FzIFNBMRUwEwYDVQQDEwxtYWlsLm1hbmkucHQwggEiMA0GCSqGSIb3DQEB\nAQUAA4IBDwAwggEKAoIBAQDdSCNqjELZGKgjPf0NAwHmmR6ZUzDpt2HOwA+97DOP\nWwJ5NOYGeJzhM/yw+P/yAWKB8HzJO6CKCfwe4ilEVxcikK7Gj/rVqfzRb+hWTWC9\nr8lPzWCa3siNdf/rieONz2LR0d/Qf8Uml5NFJ3UkJAo5TZbWizjcLO4/mPrVysau\n5S4yE9pW8dkhENs/IVLce5cjn0WwMQvFntX1x303tAlyC362JEInHePxPmGmDDMo\n3sgBYziv90LlsOviJIbpju5/A1P9r0uXzDQmudZZPqlFHjqNXcdprfVyTgg/C4xQ\nE1UbSL8uIW0CVj9TxXp4njaIC/sr97ptJU/86isFveKBAgMBAAGjXDBaMB0GA1Ud\nDgQWBBSt1Z9m+CaYG+nf39Ty0TqabcaE4TALBgNVHQ8EBAMCArwwEwYDVR0lBAww\nCgYIKwYBBQUHAwEwFwYDVR0RBBAwDoIMbWFpbC5tYW5pLnB0MA0GCSqGSIb3DQEB\nBQUAA4IBAQBk7DQ/+1pYE+0yoHNChFVztjjJASQSas6DaPx9FOFYrPhh9lU5NmBy\nHIzMUHTlkgw/OE713+mPRlxegZWceA7akirhaWocQcOCXzeIQKNouMZ/4ktXIoqY\nmdcYVOS2Et+FBBT1+rAA6OMTDftCRPH/19stA7IcwWo+6GVLWIqCk/2lBNNYrZ0V\nMvwxQeeHcCz5HdU2o0ypROvkhG8Er5qGVeHAv+JCj+Q4EERMoDwocwS8eedwqqPe\nLVCWwSqS8SEizDRNZZfOoXT4AJ/L10RLrnz8wtSffoxS2pZMbhHEBr3WhA72v94L\nCDU+vO9t1YN3WpXeRZfKWLw/qEE8b65H\n-----END CERTIFICATE-----\n'

Output from Python3.6 with OpenSSL 1.1.0:
>>> ssl.get_server_certificate(('mail.mani.pt', 993), ssl.PROTOCOL_TLSv1)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/ssl.py", line 1223, in get_server_certificate
    with context.wrap_socket(sock) as sslsock:
  File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
OSError: [Errno 0] Error
msg321900 - (view) Author: Alan Huang (Alan.Huang) * Date: 2018-07-18 17:04
This is an issue of cipher support, not a Python bug.

mail.mani.pt supports the following (outdated) ciphers:
RC4-SHA (0x05)
RC4-MD5 (0x04)
DES-CBC3-SHA (0x0a)
EXP1024-DES-CBC-SHA (0x62)
DES-CBC-SHA (0x09)
EXP1024-RC4-SHA (0x64)
EXP-RC2-CBC-MD5 (0x06)
EXP-RC4-MD5 (0x03)

OpenSSL 1.0.2k supports RC4-SHA, RC4-MD5, and DES-CBC3-SHA.
OpenSSL 1.1.0g supports none of the above ciphers.

As such, OpenSSL 1.1.0 cannot negotiate a shared cipher suite, but OpenSSL 1.0.2g can.

Update your mailserver to use modern cipher suites and protocols.
msg321960 - (view) Author: Segev Finer (Segev Finer) * Date: 2018-07-19 17:09
Even if the server is outdated and the SSL library doesn't support it anymore, that's a poor exception to raise for such an error...

Sadly I'm not able to access the affected server to reproduce and debug why it raises such a poor exception.
msg321961 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-07-19 17:28
It looks like the server is hard-killing the connection. It doesn't respond with a proper TLS error code. Instead the server response to the CLientHello with a FIN/ACK TCP package. The OSError is all we are getting from the network layer.

19:27:20.956332 IP 192.168.7.168.45884 > 195.22.7.222.imaps: Flags [S], seq 4225502143, win 29200, options [mss 1460,sackOK,TS val 2762111573 ecr 0,nop,wscale 7], length 0
19:27:21.007310 IP 195.22.7.222.imaps > 192.168.7.168.45884: Flags [S.], seq 2527363412, ack 4225502144, win 64240, options [mss 1452,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0
19:27:21.007413 IP 192.168.7.168.45884 > 195.22.7.222.imaps: Flags [.], ack 1, win 229, options [nop,nop,TS val 2762111625 ecr 0], length 0
19:27:21.007775 IP 192.168.7.168.45884 > 195.22.7.222.imaps: Flags [P.], seq 1:111, ack 1, win 229, options [nop,nop,TS val 2762111625 ecr 0], length 110
19:27:21.060476 IP 195.22.7.222.imaps > 192.168.7.168.45884: Flags [F.], seq 1, ack 111, win 64130, options [nop,nop,TS val 37305785 ecr 2762111625], length 0
19:27:21.060767 IP 192.168.7.168.45884 > 195.22.7.222.imaps: Flags [F.], seq 111, ack 2, win 229, options [nop,nop,TS val 2762111678 ecr 37305785], length 0
19:27:21.111577 IP 195.22.7.222.imaps > 192.168.7.168.45884: Flags [.], ack 112, win 64130, options [nop,nop,TS val 37305786 ecr 2762111678], length 0
msg391306 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 18:59
The issue has been stale for over two years. Closing.
History
Date User Action Args
2022-04-11 14:59:01adminsetgithub: 77989
2021-04-17 18:59:48christian.heimessetstatus: open -> closed
resolution: out of date
messages: + msg391306

stage: resolved
2018-07-19 17:28:11christian.heimessetmessages: + msg321961
2018-07-19 17:09:14Segev Finersetnosy: + Segev Finer, - Alan.Huang
messages: + msg321960
2018-07-18 17:04:30Alan.Huangsetnosy: + Alan.Huang
messages: + msg321900
2018-07-11 07:55:07serhiy.storchakasettype: crash -> behavior
2018-06-08 12:59:14dsanghancreate