This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients christian.heimes, lilydjwg
Date 2016-09-06.10:49:31
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1473158971.86.0.83444164918.issue27970@psf.upfronthosting.co.za>
In-reply-to
Content 
From https://www.ssllabs.com/ssltest/analyze.html?d=miaosss.top

Chain issues 	Incomplete
Extra download 	COMODO RSA Domain Validation Secure Server CA 

Python does not support extra downloads of incomplete chains. The server must return the EE cert and all intermediate certs during the TLS handshake.

You also can't pass the intermediate cert as a CA cert. It's not a trust anchor. You could load both the trust anchor and intermediate cert as CA certs (concatenate intermediate and root certs), but that is potentially dangerous. Safer way is https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_add0_chain_cert.html but Python does not have an API for SSL_CTX_add0_chain_cert().

Best solution: get the server fixed. It doesn't behave correctly.
History
Date User Action Args
2016-09-06 10:49:31christian.heimessetrecipients: + christian.heimes, lilydjwg
2016-09-06 10:49:31christian.heimessetmessageid: <1473158971.86.0.83444164918.issue27970@psf.upfronthosting.co.za>
2016-09-06 10:49:31christian.heimeslinkissue27970 messages
2016-09-06 10:49:31christian.heimescreate