This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author nagle
Recipients nagle
Date 2015-02-18.01:07:17
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <>
SSL certificate verification fails for "" when using the cert list from Firefox. Other sites ("", "") verify fine. 

This may be related to a known, and fixed, OpenSSL bug. See: 

Some versions of OpenSSL are known to be broken for cases where there multiple valid certificate trees.  This happens when one root cert is being phased out in favor of another, and cross-signing is involved.

Python ships with its own copy of OpenSSL on Windows.  Tests
for ""

Win7, x64:

   Python 2.7.9 with OpenSSL 1.0.1j 15 Oct 2014. FAIL
   Python 3.4.2 with OpenSSL 1.0.1i 6 Aug 2014.  FAIL
   openssl s_client -OpenSSL 1.0.1h 5 Jun 2014   FAIL

Ubuntu 14.04 LTS, x64, using distro's versions of Python:

   Python 2.7.6 - test won't run, needs create_default_context
   Python 3.4.0 with OpenSSL 1.0.1f 6 Jan 2014.  FAIL
   openssl s_client  OpenSSL 1.0.1f 6 Jan 2014   PASS

That's with the same cert file in all cases. The OpenSSL version for Python programs comes from ssl.OPENSSL_VERSION. 

The Linux situation has me puzzled.  On Linux, Python is supposedly using the system version of OpenSSL. The versions match.  Why do Python and the OpenSSL command line client disagree?  Different options passed to OpenSSL by Python?

A simple test program and cert file are attached.  Please try this in your environment.
Date User Action Args
2015-02-18 01:07:17naglesetrecipients: + nagle
2015-02-18 01:07:17naglesetmessageid: <>
2015-02-18 01:07:17naglelinkissue23476 messages
2015-02-18 01:07:17naglecreate