➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2018-08-20 11:22 by Lennart Grahl, last changed 2022-04-11 14:59 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| minimal_server.zip | Lennart Grahl, 2018-08-20 11:22 | |||
| Messages (5) | |||
|---|---|---|---|
| msg323783 - (view) | Author: Lennart Grahl (Lennart Grahl) | Date: 2018-08-20 11:22 | |
When running the attached script with the attached cert, Python 3.7 raises an exception (see https://paste.pound-python.org/show/VLr84Yn2Fnz6RSKEq3ui/). In Python 3.6, the certificate is being accepted. I don't see anything wrong with the self-signed certificate. You can (hopefully) reproduce this by running minimal_server.py |
|||
| msg323784 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2018-08-20 11:43 | |
The exception message is: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1045) The certificate is not valid for the URL. You are connection to a server by IP address, but the certificate is not valid for that IP address. |
|||
| msg323785 - (view) | Author: Lennart Grahl (Lennart Grahl) | Date: 2018-08-20 12:00 | |
Hi.
I don't see why the certificate would not be valid for that address. Python 3.6 also accepts it without any modifications to the script.
Output of openssl x509 -in cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:28:67:9a:b0:fe:d6:b8
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = 127.0.0.1
Validity
Not Before: Mar 23 16:52:01 2017 GMT
Not After : Mar 21 16:52:01 2027 GMT
Subject: CN = 127.0.0.1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:9d:e3:f2:f6:e2:8c:f3:25:82:3e:9e:bc:c5:69:
27:34:be:45:89:4a:51:ce:67:4e:b8:a0:b1:a2:bd:
fa:39:f9:38:85:a3:9c:a6:c4:c9:78:24:c7:17:5c:
2b:00:af:7f:73:e2:49:68:9c:37:29:ae:69:bf:b5:
49:06:a8:b8:1d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
17:66:86:40:B1:C4:BF:77:09:C7:DC:9F:4D:78:4A:BF:07:19:AD:8C
X509v3 Authority Key Identifier:
keyid:17:66:86:40:B1:C4:BF:77:09:C7:DC:9F:4D:78:4A:BF:07:19:AD:8C
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
30:44:02:20:09:d2:c1:85:f9:c5:7f:78:3e:cc:90:78:25:dc:
9e:76:ef:62:7a:e5:38:0a:a1:6c:c6:27:af:ed:ec:1d:12:06:
02:20:5d:d0:de:8e:46:ee:e3:67:35:66:fe:11:6e:56:b5:70:
72:16:33:92:66:0f:6c:da:51:0c:74:d8:c1:b8:8f:b5
|
|||
| msg323786 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2018-08-20 12:07 | |
Python 3.6 is a little more forgiving than Python 3.7. Python 3.7 uses OpenSSL's hostname verification algorithms, which interpret the RFCs more strictly. You have to include a SAN field of type IP address. Matching against CN has been deprecated for more than 15 years, see https://bugs.chromium.org/p/chromium/issues/detail?id=308330 |
|||
| msg323788 - (view) | Author: Lennart Grahl (Lennart Grahl) | Date: 2018-08-20 13:11 | |
Cheers! |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:04 | admin | set | github: 78621 |
| 2018-08-20 13:11:09 | Lennart Grahl | set | messages: + msg323788 |
| 2018-08-20 12:07:23 | christian.heimes | set | messages: + msg323786 |
| 2018-08-20 12:00:29 | Lennart Grahl | set | messages: + msg323785 |
| 2018-08-20 11:43:12 | christian.heimes | set | status: open -> closed type: behavior messages: + msg323784 resolution: not a bug stage: resolved |
| 2018-08-20 11:22:01 | Lennart Grahl | create | |