This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients Joe N, christian.heimes, docs@python
Date 2018-07-09.20:37:03
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1531168623.47.0.56676864532.issue34078@psf.upfronthosting.co.za>
In-reply-to
Content
Cert revocation check is working fine for me. I've attached a demo script that uses badssl.com:

$ curl -O http://crl3.digicert.com/ssca-sha2-g5.crl
$ openssl crl -in ssca-sha2-g5.crl -inform DER -out ssca-sha2-g5.pem.crl -outform PEM
$ python3.7 testcrl.py 
Traceback (most recent call last):
  File "testcrl.py", line 19, in <module>
    s.connect(('revoked.badssl.com', 443))
  File "/usr/lib64/python3.7/ssl.py", line 1141, in connect
    self._real_connect(addr, False)
  File "/usr/lib64/python3.7/ssl.py", line 1132, in _real_connect
    self.do_handshake()
  File "/usr/lib64/python3.7/ssl.py", line 1108, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate revoked (_ssl.c:1045)

openssl s_client:

$ cat /etc/pki/tls/cert.pem ssca-sha2-g5.pem.crl > combined.pem
$ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem | grep Verify
    Verify return code: 0 (ok)
$ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem -crl_check | grep Verify
    Verify return code: 23 (certificate revoked)
History
Date User Action Args
2018-07-09 20:37:03christian.heimessetrecipients: + christian.heimes, docs@python, Joe N
2018-07-09 20:37:03christian.heimessetmessageid: <1531168623.47.0.56676864532.issue34078@psf.upfronthosting.co.za>
2018-07-09 20:37:03christian.heimeslinkissue34078 messages
2018-07-09 20:37:03christian.heimescreate