A user of our pywbem package gets an SSLError with message "[SSL] EC lib (_ssl.c:728)" when invoking the connect() method on an SSL wrapped socket. See https://github.com/pywbem/pywbem/issues/1950.

The issue is that with this error message, it is not possible for us to figure out what the problem is and how to correct it.

This happens with CPython 3.5.

I have tried to find the place in _ssl.c (https://github.com/python/cpython/blob/3.5/Modules/_ssl.c) where a string "EC lib" or " lib" is created but did not find it there.

I have two requests:

1. Please explain what the reason is for this exception and what to change in the environment to make it work.

2. Please improve the message in this exception so that it is self-explanatory.

The error message is coming from OpenSSL, not from Python. It looks like the handshake is failing with a problem in OpenSSL's internal elliptic curve crypto. It usually means that the server is sending handshake parameters or certs that the client cannot process. It could be a problem with key agreement with ECDHE or cert validation with an EC cert.

It's impossible to say what exactly is going wrong. I suggest that you start by debugging the issue with openssl s_client, Wireshark and gdb on the system.

More details about the environment this happens on:

Python 3.5.7 (default, Aug 16 2019, 10:17:32)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-4)] on linux

This looks like a self-compiled Python 3.5 on an ancient, unsupported RHEL 4 box. What's the OpenSSL version of the machine and the server?

Sorry, Kernel version 4.4.7 is RHEL 6.

Our user was able to fix this issue by upgrading the OpenSSL version used on the client side from 1.0.1e-fips to 1.1.1.

It seems to me that Python's SSL support cannot do anything about this issue. As far as I'm concerned ths issue can be closed.

Thanks for the help, Christian!