This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pitrou
Recipients demian.brecht, lac, nagle, pitrou
Date 2015-02-24.15:34:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1424792078.32.0.241375249871.issue23476@psf.upfronthosting.co.za>
In-reply-to
Content 
> Python's SSL isn't using that.  Python is taking in one big text file 
> of SSL certs, with no link structure, and feeding it to OpenSSL.  

Python's SSL is not "taking" anything:

>>> r = urlopen('https://www.verisign.com')
>>> r.read(10)
b' <!DOCTYPE'

It's only if you feed it that particular CA file that you get the issue:

>>> cafile = 'cacert.pem'
>>> r = urlopen('https://www.verisign.com', cafile=cafile)
[...]
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)>


You can *also* feed it a CA directory by using the "CApath" argument (*not* "CAfile").

Now it remains to be seen why "openssl s_client" works with the file nevertheless.
History
Date User Action Args
2015-02-24 15:34:38pitrousetrecipients: + pitrou, nagle, demian.brecht, lac
2015-02-24 15:34:38pitrousetmessageid: <1424792078.32.0.241375249871.issue23476@psf.upfronthosting.co.za>
2015-02-24 15:34:38pitroulinkissue23476 messages
2015-02-24 15:34:37pitroucreate