This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Title: Broken CRL functionality in
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.6
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Joe N, christian.heimes, docs@python
Priority: normal Keywords:

Created on 2018-07-09 19:13 by Joe N, last changed 2022-04-11 14:59 by admin. This issue is now closed.

File name Uploaded Description Edit christian.heimes, 2018-07-09 20:37
Messages (3)
msg321343 - (view) Author: Joe N (Joe N) Date: 2018-07-09 19:13
CRLs in or at the documentation is broken. Specifically I think the documentation here is wrong:

Here is a stackoverflow post: 

I made a very user friendly test suite of files to show how it is broken. 

Run the code in here (follow readme instructions) to see the bug.
msg321349 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2018-07-09 20:37
Cert revocation check is working fine for me. I've attached a demo script that uses

$ curl -O
$ openssl crl -in ssca-sha2-g5.crl -inform DER -out ssca-sha2-g5.pem.crl -outform PEM
$ python3.7 
Traceback (most recent call last):
  File "", line 19, in <module>
    s.connect(('', 443))
  File "/usr/lib64/python3.7/", line 1141, in connect
    self._real_connect(addr, False)
  File "/usr/lib64/python3.7/", line 1132, in _real_connect
  File "/usr/lib64/python3.7/", line 1108, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate revoked (_ssl.c:1045)

openssl s_client:

$ cat /etc/pki/tls/cert.pem ssca-sha2-g5.pem.crl > combined.pem
$ openssl s_client -connect -servername -CAfile combined.pem | grep Verify
    Verify return code: 0 (ok)
$ openssl s_client -connect -servername -CAfile combined.pem -crl_check | grep Verify
    Verify return code: 23 (certificate revoked)
msg391300 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2021-04-17 18:21
No response in over two years. I'm closing the issue. Please feel free to reopen the issue with more information.
Date User Action Args
2022-04-11 14:59:02adminsetgithub: 78259
2021-04-17 18:21:50christian.heimessetstatus: open -> closed
resolution: out of date
messages: + msg391300

stage: resolved
2018-07-09 20:37:03christian.heimessetfiles: +

messages: + msg321349
2018-07-09 19:13:36Joe Ncreate