Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl.get_server_certificate() does not work for IPv6 addresses #56020

Closed
pwouters mannequin opened this issue Apr 9, 2011 · 7 comments
Closed

ssl.get_server_certificate() does not work for IPv6 addresses #56020

pwouters mannequin opened this issue Apr 9, 2011 · 7 comments
Labels
easy stdlib Python modules in the Lib dir type-feature A feature request or enhancement

Comments

@pwouters
Copy link
Mannequin

pwouters mannequin commented Apr 9, 2011

BPO 11811
Nosy @pitrou
Files
  • ssl_ipv6.diff: patch adding IPv6 support
  • is_ipv6_enabled.diff: IPV6_ENABLED support
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2011-04-28.17:26:48.103>
created_at = <Date 2011-04-09.21:18:19.972>
labels = ['easy', 'type-feature', 'library']
title = 'ssl.get_server_certificate() does not work for IPv6 addresses'
updated_at = <Date 2011-04-28.17:26:48.101>
user = 'https://bugs.python.org/pwouters'

    bugs.python.org fields:

    activity = <Date 2011-04-28.17:26:48.101>
actor = 'pitrou'
assignee = 'none'
closed = True
closed_date = <Date 2011-04-28.17:26:48.103>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2011-04-09.21:18:19.972>
creator = 'pwouters'
dependencies = []
files = ['21818', '21819']
hgrepos = []
issue_num = 11811
keywords = ['patch', 'easy']
message_count = 7.0
messages = ['133422', '133424', '134618', '134622', '134648', '134706', '134707']
nosy_count = 4.0
nosy_names = ['pitrou', 'neologix', 'python-dev', 'pwouters']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue11811'
versions = ['Python 3.3']
    @pwouters
    Copy link
    Mannequin Author

    pwouters mannequin commented Apr 9, 2011

    ssl.get_server_certificate() does not work for IPv6 addresses:

    >>> ssl.get_server_certificate( ("2001:888:2003:1004:c2ff:eeff:fe00:133",443))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/ssl.py", line 403, in get_server_certificate
    s.connect(addr)
  File "/usr/lib64/python2.7/ssl.py", line 292, in connect
    socket.connect(self, addr)
  File "/usr/lib64/python2.7/socket.py", line 222, in meth
    return getattr(self._sock,name)(*args)
socket.gaierror: [Errno -9] Address family for hostname not supported

    @pwouters pwouters mannequin added the type-feature A feature request or enhancement label Apr 9, 2011
    @pitrou
    Copy link
    Member

    pitrou commented Apr 9, 2011

    Confirmed. In the meantime, you can connect manually using socket.create_connection():

    >>> import ssl, socket
>>> conn = socket.create_connection(("2001:888:2003:1004:c2ff:eeff:fe00:133", 443))
>>> sock = ssl.wrap_socket(conn)
>>> ssl.DER_cert_to_PEM_cert(sock.getpeercert(True))
'-----BEGIN CERTIFICATE-----\nMIID8DCCA1mgAwIBAgICVVUwDQYJKoZIhvcNAQEFBQAwgbExCzAJBgNVBAYTAi0t\nMRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK\nExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV\nbml0MRkwFwYDVQQDExB3cC54ZWxlcmFuY2UubmV0MSQwIgYJKoZIhvcNAQkBFhVy\nb290QHdwLnhlbGVyYW5jZS5uZXQwHhcNMTEwNDA4MjM0MzE3WhcNMTIwNDA3MjM0\nMzE3WjCBsTELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UE\nBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsT\nFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxGTAXBgNVBAMTEHdwLnhlbGVyYW5jZS5u\nZXQxJDAiBgkqhkiG9w0BCQEWFXJvb3RAd3AueGVsZXJhbmNlLm5ldDCBnzANBgkq\nhkiG9w0BAQEFAAOBjQAwgYkCgYEAsLBCgvH5g8ypkuufFQ55BFoWcjpAocsRV+jN\nW5zylXzM7F9/cMyTli757JGRdwL0l+bLPdojdYwKb6XjTWfJonqentBMG6iktLXZ\n66oUQl77UHOyL7XKynmO6wSGFd/qAoA8O5O9IRLPNcD4+NMTQjGSMFPvjnUnOSH2\n8nMVmZUCAwEAAaOCARMwggEPMB0GA1UdDgQWBBRFGGojncjKvGfxjgU8EOapc0Yi\nyjCB3wYDVR0jBIHXMIHUgBRFGGojncjKvGfxjgU8EOapc0YiyqGBt6SBtDCBsTEL\nMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNp\ndHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdh\nbml6YXRpb25hbFVuaXQxGTAXBgNVBAMTEHdwLnhlbGVyYW5jZS5uZXQxJDAiBgkq\nhkiG9w0BCQEWFXJvb3RAd3AueGVsZXJhbmNlLm5ldIICVVUwDAYDVR0TBAUwAwEB\n/zANBgkqhkiG9w0BAQUFAAOBgQCnLIAJ8ghuqUUiVOuq6tiRby65dh+7L1ApSp8G\nwusWF/rYugvqUxL1O1vatd1ptyXpoCLM0XzQ5sBtY0yS8IjMON9++Uu+u5IkQ+24\nkwvpgWp3lX8Zuxhbnmym/LGoJq4PgqXl1bsGJ+SIALQ31g7nrNE2HQz1IYRQEj/k\neG8F7g==\n-----END CERTIFICATE-----\n'

    @pitrou pitrou added easy stdlib Python modules in the Lib dir labels Apr 9, 2011
    @neologix
    Copy link
    Mannequin

    neologix mannequin commented Apr 27, 2011

    A patch is attached, along with corresponding test.
    Notes:

    • since I don't have an IPv6 internet connectivity, I could only test it locally
    • I chose 'ipv6.google.com' as SSL server for the test. If it's a problem, I can change it for svn.python.org (it'll just take a couple more lines to make sure that we're using IPv6 and not IPv4)
    • while writting the test, I needed a way to find whether IPv6 is supported on the current host (socket.has_ipv6 only tells you that the interpreter has been built with IPv6 support, not that the OS has an IPv6 stack enabled). So instead of rewritting what's already done in test_socket, I added a new is_ipv6_enabled function in Lib/test/support.py, and modified test_socket, test_ftplib and test_ssl to use it. This patch (is_ipv6_enabled.diff) must be applied before ssl_ipv6.diff.

    @pitrou
    Copy link
    Member

    pitrou commented Apr 27, 2011

    Hello,

    This patch (is_ipv6_enabled.diff) must be applied before
    ssl_ipv6.diff.

    is_ipv6_enabled.diff is fine.
    As for ssl_ipv6.diff, it fails on certificate verification:

    ======================================================================
    ERROR: test_get_server_certificate (test.test_ssl.NetworkedTests)
    ----------------------------------------------------------------------

    Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 630, in test_get_server_certificate
    _test_get_server_certificate('ipv6.google.com', 443)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 622, in _test_get_server_certificate
    pem = ssl.get_server_certificate((host, port), ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 548, in get_server_certificate
    cert_reqs=cert_reqs, ca_certs=ca_certs)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 498, in wrap_socket
    ciphers=ciphers)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 255, in __init__
    raise x
  File "/home/antoine/cpython/default/Lib/ssl.py", line 251, in __init__
    self.do_handshake()
  File "/home/antoine/cpython/default/Lib/ssl.py", line 430, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:389: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

    I think you should simply use ca_certs=None when testing with the Google
    host.

    @neologix
    Copy link
    Mannequin

    neologix mannequin commented Apr 28, 2011

    As for ssl_ipv6.diff, it fails on certificate verification:

    Of course.
    The new version should fix this (tested on google.com).

    is_ipv6_enabled.diff is fine.

    Since IPv6 capability is unlikely to change in the middle of a test, I replaced the function is_ipv6_enabled() by a boolean IPV6_ENABLED. That way, it's closer to socket.has_ipv6, and spares a socket creation/bind/close at each call.

    @python-dev
    Copy link
    Mannequin

    python-dev mannequin commented Apr 28, 2011

    New changeset 0518f32cb747 by Antoine Pitrou in branch 'default':
    Issue bpo-11811: Factor out detection of IPv6 support on the current host
    http://hg.python.org/cpython/rev/0518f32cb747

    New changeset d3166c359714 by Antoine Pitrou in branch 'default':
    Issue bpo-11811: ssl.get_server_certificate() is now IPv6-compatible. Patch
    http://hg.python.org/cpython/rev/d3166c359714

    @pitrou
    Copy link
    Member

    pitrou commented Apr 28, 2011

    Committed, thank you!

    @pitrou pitrou closed this as completed Apr 28, 2011
    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    easy stdlib Python modules in the Lib dir type-feature A feature request or enhancement
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    1 participant
    @pitrou