Author beda
Recipients beda
Date 2010-04-21.11:56:16
SpamBayes Score 7.50842e-10
Marked as misclassified No
Message-id <1271850980.01.0.0395535667848.issue8484@psf.upfronthosting.co.za>
In-reply-to
Content
When trying a secure connection to an HTTPS server with server certificate verification, I get very strange behaviour when the digest used in the signing certificate is SHA-256 (+RSA).
On Windows with Python 2.6.4 or 2.6.5, I consistently get the following error:

ssl.SSLError: [Errno 1] _ssl.c:480: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

When I tried to reproduce this on Ubuntu Linux, I found that it either failed with the same error or succeeded in case the hashlib was imported before the actual code. I got the same behaviour on Gentoo Linux with Python 2.6.4 and Fedora 11 and Debian unstable with other versions of Python 2.6.
On Windows, importing hashlib prior to the code does not fix it as is does on Linux.

Using openssl s_client (openssl s_client -connect sha256.tbs-internet.com:443 -CAfile chain.pem) give no error, so the problem is not directly with openssl.
It seems that the Python ssl (_ssl) library does not load properly the corresponding hash modules from openssl or something like this.

I attach a sample script with the hashlib import commented out. I also add a pem file with certificates needed for the code to check the server certificate.

P.S.- I was able to reproduce the same behaviour with another site using SHA-256 base digests.
History
Date User Action Args
2010-04-21 11:56:22bedasetrecipients: + beda
2010-04-21 11:56:20bedasetmessageid: <1271850980.01.0.0395535667848.issue8484@psf.upfronthosting.co.za>
2010-04-21 11:56:18bedalinkissue8484 messages
2010-04-21 11:56:17bedacreate