Message236158
SSL certificate verification fails for "www.verisign.com" when using the cert list from Firefox. Other sites ("google.com", "python.org") verify fine.
This may be related to a known, and fixed, OpenSSL bug. See:
http://rt.openssl.org/Ticket/Display.html?id=2732&user=guest&pass=guest
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640
Some versions of OpenSSL are known to be broken for cases where there multiple valid certificate trees. This happens when one root cert is being phased out in favor of another, and cross-signing is involved.
Python ships with its own copy of OpenSSL on Windows. Tests
for "www.verisign.com"
Win7, x64:
Python 2.7.9 with OpenSSL 1.0.1j 15 Oct 2014. FAIL
Python 3.4.2 with OpenSSL 1.0.1i 6 Aug 2014. FAIL
openssl s_client -OpenSSL 1.0.1h 5 Jun 2014 FAIL
Ubuntu 14.04 LTS, x64, using distro's versions of Python:
Python 2.7.6 - test won't run, needs create_default_context
Python 3.4.0 with OpenSSL 1.0.1f 6 Jan 2014. FAIL
openssl s_client OpenSSL 1.0.1f 6 Jan 2014 PASS
That's with the same cert file in all cases. The OpenSSL version for Python programs comes from ssl.OPENSSL_VERSION.
The Linux situation has me puzzled. On Linux, Python is supposedly using the system version of OpenSSL. The versions match. Why do Python and the OpenSSL command line client disagree? Different options passed to OpenSSL by Python?
A simple test program and cert file are attached. Please try this in your environment. |
|
Date |
User |
Action |
Args |
2015-02-18 01:07:17 | nagle | set | recipients:
+ nagle |
2015-02-18 01:07:17 | nagle | set | messageid: <1424221637.85.0.898475945708.issue23476@psf.upfronthosting.co.za> |
2015-02-18 01:07:17 | nagle | link | issue23476 messages |
2015-02-18 01:07:17 | nagle | create | |
|