Author vstinner
Recipients christian.heimes, pitrou, vstinner
Date 2014-03-12.11:38:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1394624326.41.0.157380460915.issue20896@psf.upfronthosting.co.za>
In-reply-to
Content
Script to reproduce the issue:
---
import ssl
pem = ssl.get_server_certificate(('svn.python.org', 443), ca_certs="Lib/test/https_svn_python_org_root.pem")
print("PEM: %r" % pem)
---

It looks the handshake fails if like with PROTOCOL_SSLv3 which is the default protocol, but works with PROTOCOL_SSLv23.

_create_stdlib_context(), SSLContext and wrap_socket use PROTOCOL_SSLv23 which is said to be the "the most compatibility with other versions" protocol. Why get_server_certificate() uses PROTOCOL_SSLv3?

get_server_certificate() was added in 2007 by changeset 9041965a92f2 and it uses PROTOCOL_SSLv3 since this version.

"openssl s_client" says that the server speaks TLSv1.2 which is the most recent TLS version and probably the most secure. Is it possible somehow to try TLSv1.2, and then fallback to other versions if the latest version is not supported?

For the initial issue, it looks like a change at server side (svn.python.org), I don't think that ssl module, the unit test or the certificate of the authority changed recently. The python.org website has been changed recently.
History
Date User Action Args
2014-03-12 11:38:46vstinnersetrecipients: + vstinner, pitrou, christian.heimes
2014-03-12 11:38:46vstinnersetmessageid: <1394624326.41.0.157380460915.issue20896@psf.upfronthosting.co.za>
2014-03-12 11:38:46vstinnerlinkissue20896 messages
2014-03-12 11:38:46vstinnercreate