classification
Title: SSL Certificate verify failed in Python3.6/3.7
Type: behavior Stage: resolved
Components: SSL Versions: Python 3.6
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: christian.heimes Nosy List: Chirs, christian.heimes
Priority: normal Keywords:

Created on 2020-07-08 08:27 by Chirs, last changed 2020-07-09 01:08 by Chirs. This issue is now closed.

Files
File name Uploaded Description Edit
19316811113.crt Chirs, 2020-07-08 08:27 SSL certificate
server_cer.txt Chirs, 2020-07-08 08:53
server_cer_1.txt Chirs, 2020-07-08 10:20
Messages (9)
msg373286 - (view) Author: Wu Wenyan (Chirs) Date: 2020-07-08 08:27
I am running the following code in python3.6 to connect to a storage.
[root@controller wuwy]# python3
Python 3.6.8 (default, Jan 11 2019, 02:17:16)
[GCC 8.2.1 20180905 (Red Hat 8.2.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pywbem
>>> ip = '193.168.11.113'
>>> user = '193_160_28_29'
>>> password = '193_160_28_29'
>>> url = 'https://193.168.11.113:5989'
>>> ca_certs = '/home/ca.cer'
>>> conn = pywbem.WBEMConnection(url,(user, password),default_namespace='root/example',ca_certs=ca_certs,no_verification=False)
>>> conn.EnumerateInstances('EXAMPLE_StorageProduct')

And I am getting the below error.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1919, in EnumerateInstances
    **extra)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1232, in _imethodcall
    conn_id=self.conn_id)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 776, in wbem_request
    client.endheaders()
  File "/usr/lib64/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 461, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 619, in connect
    return self.sock.connect((self.host, self.port))
  File "/usr/lib64/python3.6/ssl.py", line 1064, in connect
    self._real_connect(addr, False)
  File "/usr/lib64/python3.6/ssl.py", line 1055, in _real_connect
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1032, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    raise ValueError("check_hostname needs server_hostname "
ValueError: check_hostname needs server_hostname argument

When I am running the same code in python3.7, error changed.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_operations.py", line 2494, in EnumerateInstances
    **extra)
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_operations.py", line 1763, in _imethodcall
    conn_id=self.conn_id)
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 824, in wbem_request
    client.endheaders()
  File "/usr/python3/lib/python3.7/http/client.py", line 1224, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/python3/lib/python3.7/http/client.py", line 1016, in _send_output
    self.send(msg)
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 483, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 661, in connect
    conn_id=conn_id)
pywbem._exceptions.ConnectionError: SSL error <class 'ssl.SSLCertVerificationError'>: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '193.168.11.113'. (_ssl.c:1045); OpenSSL version: OpenSSL 1.1.1c FIPS  28 May 2019

This code works fine with python2.7 version.

And I checked the CN and SAN of the certificate, seems no problem here.

So could anyone tell me what's the problem here?
msg373290 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-07-08 08:34
Are you running Python 2.7 on RHEL 7? Python 2.7 on RHEL 7 does not very certs by defaults, see https://access.redhat.com/articles/2039753

Could you please post the output of 'openssl x509 -text -in path/to/cert' for your certificate?
msg373292 - (view) Author: Wu Wenyan (Chirs) Date: 2020-07-08 08:53
I am running Python on Centos7.
See result in attached file.
msg373294 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-07-08 09:05
Your certificate does not have a subject alternative name extension. CN hostname matching has been deprecated for like 15 years. OpenSSL may ignore the CN and require a proper SAN extension of type IP general name.
msg373301 - (view) Author: Wu Wenyan (Chirs) Date: 2020-07-08 10:20
You are right. I used openssl.cnf when created a csr, and ignore it when created cer.
Now the code works fine with python3.7, but still cannot work in python3.6.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1919, in EnumerateInstances
    **extra)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1232, in _imethodcall
    conn_id=self.conn_id)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 776, in wbem_request
    client.endheaders()
  File "/usr/lib64/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 461, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 619, in connect
    return self.sock.connect((self.host, self.port))
  File "/usr/lib64/python3.6/ssl.py", line 1064, in connect
    self._real_connect(addr, False)
  File "/usr/lib64/python3.6/ssl.py", line 1055, in _real_connect
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1032, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    raise ValueError("check_hostname needs server_hostname "
ValueError: check_hostname needs server_hostname argument

Could you please check the attached file for me again?
msg373302 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-07-08 10:30
It's a different issue on 3.6. According to the exception message you are not passing server_hostname to wrap_socket().
msg373304 - (view) Author: Wu Wenyan (Chirs) Date: 2020-07-08 10:46
I tried to print "self.host" which would be passed to wrap_socket().
It seems no problem.
> /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(616)connect()
-> try:
(Pdb) p self.host
'193.168.11.113'
(Pdb) n
> /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(617)connect()
-> self.sock = ctx.wrap_socket(sock,
(Pdb)
> /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(618)connect()
-> server_hostname=self.host)
(Pdb)
> /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(619)connect()
-> return self.sock.connect((self.host, self.port))
(Pdb)
ValueError: check_hostname needs server_hostname argument
> /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(619)connect()
-> return self.sock.connect((self.host, self.port))
msg373308 - (view) Author: Christian Heimes (christian.heimes) * (Python committer) Date: 2020-07-08 13:50
I'm afraid I have to close this issue as OUT-OF-DATE. It's either a bug in pywbem or a 3.6-only bug. Python 3.6 is in security maintenance mode and no longer receive bug fixes.

I suggest that you take this issue to pywbem bug tracker and get assistance there.
msg373366 - (view) Author: Wu Wenyan (Chirs) Date: 2020-07-09 01:08
OK. Thanks for your suggestion.
History
Date User Action Args
2020-07-09 01:08:06Chirssetmessages: + msg373366
2020-07-08 13:50:42christian.heimessetstatus: open -> closed
resolution: out of date
messages: + msg373308

stage: resolved
2020-07-08 10:46:33Chirssetmessages: + msg373304
2020-07-08 10:30:15christian.heimessetmessages: + msg373302
2020-07-08 10:20:25Chirssetfiles: + server_cer_1.txt

messages: + msg373301
2020-07-08 09:05:06christian.heimessetmessages: + msg373294
2020-07-08 08:53:37Chirssetfiles: + server_cer.txt

messages: + msg373292
2020-07-08 08:34:57christian.heimessetmessages: + msg373290
2020-07-08 08:27:07Chirscreate