Message213250
Script to reproduce the issue:
---
import ssl
pem = ssl.get_server_certificate(('svn.python.org', 443), ca_certs="Lib/test/https_svn_python_org_root.pem")
print("PEM: %r" % pem)
---
It looks the handshake fails if like with PROTOCOL_SSLv3 which is the default protocol, but works with PROTOCOL_SSLv23.
_create_stdlib_context(), SSLContext and wrap_socket use PROTOCOL_SSLv23 which is said to be the "the most compatibility with other versions" protocol. Why get_server_certificate() uses PROTOCOL_SSLv3?
get_server_certificate() was added in 2007 by changeset 9041965a92f2 and it uses PROTOCOL_SSLv3 since this version.
"openssl s_client" says that the server speaks TLSv1.2 which is the most recent TLS version and probably the most secure. Is it possible somehow to try TLSv1.2, and then fallback to other versions if the latest version is not supported?
For the initial issue, it looks like a change at server side (svn.python.org), I don't think that ssl module, the unit test or the certificate of the authority changed recently. The python.org website has been changed recently. |
|
Date |
User |
Action |
Args |
2014-03-12 11:38:46 | vstinner | set | recipients:
+ vstinner, pitrou, christian.heimes |
2014-03-12 11:38:46 | vstinner | set | messageid: <1394624326.41.0.157380460915.issue20896@psf.upfronthosting.co.za> |
2014-03-12 11:38:46 | vstinner | link | issue20896 messages |
2014-03-12 11:38:46 | vstinner | create | |
|