classification
Title: Broken CRL functionality in ssl.py
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.6
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Joe N, christian.heimes, docs@python
Priority: normal Keywords:

Created on 2018-07-09 19:13 by Joe N, last changed 2021-04-17 18:21 by christian.heimes. This issue is now closed.

Files
File name Uploaded Description Edit
testcrl.py christian.heimes, 2018-07-09 20:37
Messages (3)
msg321343 - (view) Author: Joe N (Joe N) Date: 2018-07-09 19:13
CRLs in ssl.py or at the documentation is broken. Specifically I think the documentation here is wrong: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations

Here is a stackoverflow post: https://stackoverflow.com/questions/51196492/how-to-use-crls-in-pyopenssl?noredirect=1#comment89407186_51196492 

I made a very user friendly test suite of files to show how it is broken. 

Run the code in here (follow readme instructions) to see the bug.
https://github.com/nettijoe96/bugInSSL
msg321349 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-07-09 20:37
Cert revocation check is working fine for me. I've attached a demo script that uses badssl.com:

$ curl -O http://crl3.digicert.com/ssca-sha2-g5.crl
$ openssl crl -in ssca-sha2-g5.crl -inform DER -out ssca-sha2-g5.pem.crl -outform PEM
$ python3.7 testcrl.py 
Traceback (most recent call last):
  File "testcrl.py", line 19, in <module>
    s.connect(('revoked.badssl.com', 443))
  File "/usr/lib64/python3.7/ssl.py", line 1141, in connect
    self._real_connect(addr, False)
  File "/usr/lib64/python3.7/ssl.py", line 1132, in _real_connect
    self.do_handshake()
  File "/usr/lib64/python3.7/ssl.py", line 1108, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate revoked (_ssl.c:1045)

openssl s_client:

$ cat /etc/pki/tls/cert.pem ssca-sha2-g5.pem.crl > combined.pem
$ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem | grep Verify
    Verify return code: 0 (ok)
$ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem -crl_check | grep Verify
    Verify return code: 23 (certificate revoked)
msg391300 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 18:21
No response in over two years. I'm closing the issue. Please feel free to reopen the issue with more information.
History
Date User Action Args
2021-04-17 18:21:50christian.heimessetstatus: open -> closed
resolution: out of date
messages: + msg391300

stage: resolved
2018-07-09 20:37:03christian.heimessetfiles: + testcrl.py

messages: + msg321349
2018-07-09 19:13:36Joe Ncreate