New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test_ssl.test_get_server_certificate() should use PROTOCOL_SSLv23, not PROTOCOL_SSLv3 #65095
Comments
====================================================================== Traceback (most recent call last):
File "/home/haypo/prog/python/default/Lib/test/test_ssl.py", line 1373, in test_get_server_certificate
_test_get_server_certificate('svn.python.org', 443, SVN_PYTHON_ORG_ROOT_CERT)
File "/home/haypo/prog/python/default/Lib/test/test_ssl.py", line 1354, in _test_get_server_certificate
pem = ssl.get_server_certificate((host, port))
File "/home/haypo/prog/python/default/Lib/ssl.py", line 902, in get_server_certificate
with context.wrap_socket(sock) as sslsock:
File "/home/haypo/prog/python/default/Lib/ssl.py", line 344, in wrap_socket
_context=self)
File "/home/haypo/prog/python/default/Lib/ssl.py", line 540, in __init__
self.do_handshake()
File "/home/haypo/prog/python/default/Lib/ssl.py", line 767, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:598) Extract of the current CA cert of svn.python.org: $ openssl x509 -in Lib/test/https_svn_python_org_root.pem -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
Not Before: Mar 30 12:29:49 2003 GMT
Not After : Mar 29 12:29:49 2033 GMT
Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
... Lib/test/https_svn_python_org_root.pem is identical to http://www.cacert.org/certs/root.crt: root certificate of cacert.org authority. |
Debug with OpenSSL command line: $ openssl s_client -connect svn.python.org:443 -CAfile Lib/test/https_svn_python_org_root.pem
CONNECTED(00000003)
depth=1 O = Root CA, OU = http://www.cacert.org, CN = CA Cert Signing Authority, emailAddress = support@cacert.org
verify return:1
depth=0 CN = svn.python.org
verify return:1 Certificate chain
--- |
Script to reproduce the issue: import ssl
pem = ssl.get_server_certificate(('svn.python.org', 443), ca_certs="Lib/test/https_svn_python_org_root.pem")
print("PEM: %r" % pem) It looks the handshake fails if like with PROTOCOL_SSLv3 which is the default protocol, but works with PROTOCOL_SSLv23. _create_stdlib_context(), SSLContext and wrap_socket use PROTOCOL_SSLv23 which is said to be the "the most compatibility with other versions" protocol. Why get_server_certificate() uses PROTOCOL_SSLv3? get_server_certificate() was added in 2007 by changeset 9041965a92f2 and it uses PROTOCOL_SSLv3 since this version. "openssl s_client" says that the server speaks TLSv1.2 which is the most recent TLS version and probably the most secure. Is it possible somehow to try TLSv1.2, and then fallback to other versions if the latest version is not supported? For the initial issue, it looks like a change at server side (svn.python.org), I don't think that ssl module, the unit test or the certificate of the authority changed recently. The python.org website has been changed recently. |
New changeset c13398566409 by Victor Stinner in branch 'default': |
The bug is not fixed, I commited a workaround. Please repon it. Le mercredi 12 mars 2014, Benjamin Peterson <report@bugs.python.org> a
|
Ok, apparently the change was backed out and it was not needed (I can't make the test fail here, either). It would have been better to state it on the issue, though :-) |
That said, I agree it would be better to use "SSLv23" in get_server_certificate(). |
New changeset 23add5382fb3 by Benjamin Peterson in branch '3.1': New changeset 789ca594960f by Benjamin Peterson in branch '3.2': New changeset de97d0334314 by Benjamin Peterson in branch '2.7': New changeset 12df02358137 by Benjamin Peterson in branch '3.3': New changeset 0cba79667c7d by Benjamin Peterson in branch 'default': |
Benjamin: Could you please mention your change in Misc/NEWS? Is it ok to change that in Python 3.1 & 3.2? Should the change be mentionned in the doc (:versionchanged:)? |
New changeset 9b91c23f071c by Benjamin Peterson in branch '3.4': |
New changeset 55f62fa5bebc by Antoine Pitrou in branch 'default': |
This bug affected also the other versions I marked. Updating it, so people don't open duplicate bugs as I did with issue bpo-21246 |
New changeset a8c4925e2359 by Victor Stinner in branch '3.4': |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: