➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2019-05-09 15:48 by sivel, last changed 2022-04-11 14:59 by admin.
| Messages (3) | |||
|---|---|---|---|
| msg341985 - (view) | Author: Matt Martz (sivel) * | Date: 2019-05-09 15:48 | |
The behavior of how SSL certificate validation is handled was changed in https://bugs.python.org/issue31399 This introduced a new exception, ssl.SSLCertVerificationError, which is raised for any certificate validation error, instead of the previous exception ssl.CertificateError. The primary difference here comes into play in urllib.request: https://github.com/python/cpython/blob/da0847048aa7f934573fa449cea8643def056aa5/Lib/urllib/request.py#L1314-L1318 Previously ssl.CertificateError was not derived from OSError, it instead was derived from ValueError. As such, as of Python3.7, ssl.SSLCertVerificationError is caught by the exception handling referenced above, as it is derived from OSError, and raised as a URLError, causing exception handling issues. You must now introspect e.reason to determine if the exception was caused due to certificate verification or any other URLError, instead of simply catching separate exception types. |
|||
| msg342200 - (view) | Author: Christian Heimes (christian.heimes) *  |
Date: 2019-05-11 15:37 | |
Starting with 3.7, all OpenSSL and certificate-related exceptions are derived from SSLError. SSLError is a subclass of OSError. For backwards compatibility, SSLCertVerificationError is both a subclass of SSLError and ValueError. >>> ssl.CertificateError <class 'ssl.SSLCertVerificationError'> >>> ssl.CertificateError.__mro__ (<class 'ssl.SSLCertVerificationError'>, <class 'ssl.SSLError'>, <class 'OSError'>, <class 'ValueError'>, <class 'Exception'>, <class 'BaseException'>, <class 'object'>) The new behavior is more consistent than the previous. Now all SSL handshake errors are wrapped in URLError. In 3.6 and earlier unsupported TLS version, cipher suite mismatch, and similar were wrapped in URLError. Certificate related issues like untrusted cert, expired cert, hostname verification failure was not wrapped in URLError. You had to check error.reason for SSL-related errors any way. I like to argue that the ssl module in 3.7 handles exceptions more consistently and is an improvement. The URLError behavior change is an unfortunate but reasonable side effect. Ned, what do you think? |
|||
| msg342204 - (view) | Author: Christian Heimes (christian.heimes) * |
Date: 2019-05-11 16:05 | |
Update: 3.6 and earlier raised SSLError for untrusted or expired certs. Only hostname mismatch was not wrapped into URLError. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:59:14 | admin | set | github: 81047 |
| 2021-04-17 19:34:44 | christian.heimes | set | assignee: christian.heimes -> nosy: - christian.heimes components: - SSL versions: + Python 3.10, - Python 3.7 |
| 2019-05-11 16:05:41 | christian.heimes | set | messages: + msg342204 |
| 2019-05-11 15:37:14 | christian.heimes | set | messages: + msg342200 |
| 2019-05-09 22:25:30 | vstinner | set | nosy:
- vstinner |
| 2019-05-09 18:41:46 | ned.deily | set | nosy:
+ ned.deily |
| 2019-05-09 15:48:32 | sivel | create | |