This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author vstinner
Recipients christian.heimes, pitrou, vstinner
Date 2014-03-12.11:38:46
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
Script to reproduce the issue:
import ssl
pem = ssl.get_server_certificate(('', 443), ca_certs="Lib/test/https_svn_python_org_root.pem")
print("PEM: %r" % pem)

It looks the handshake fails if like with PROTOCOL_SSLv3 which is the default protocol, but works with PROTOCOL_SSLv23.

_create_stdlib_context(), SSLContext and wrap_socket use PROTOCOL_SSLv23 which is said to be the "the most compatibility with other versions" protocol. Why get_server_certificate() uses PROTOCOL_SSLv3?

get_server_certificate() was added in 2007 by changeset 9041965a92f2 and it uses PROTOCOL_SSLv3 since this version.

"openssl s_client" says that the server speaks TLSv1.2 which is the most recent TLS version and probably the most secure. Is it possible somehow to try TLSv1.2, and then fallback to other versions if the latest version is not supported?

For the initial issue, it looks like a change at server side (, I don't think that ssl module, the unit test or the certificate of the authority changed recently. The website has been changed recently.
Date User Action Args
2014-03-12 11:38:46vstinnersetrecipients: + vstinner, pitrou, christian.heimes
2014-03-12 11:38:46vstinnersetmessageid: <>
2014-03-12 11:38:46vstinnerlinkissue20896 messages
2014-03-12 11:38:46vstinnercreate