This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Michael.Felt
Recipients Michael.Felt, christian.heimes
Date 2018-08-21.12:12:47
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <3cb8b699-4ca9-c3fb-c9cd-837dbc4a903e@felt.demon.nl>
In-reply-to <15fa7bc4-2c86-686f-263a-9267f0b20fb1@felt.demon.nl>
Content 
On 21/08/2018 09:46, Michael wrote:
> On 04/08/2018 16:37, Michael Felt wrote:
>> Some help would really be appreciated!
> Gotten a bit further :)

A little bit more:

Modules/_ssl.c

 +3707  fprintf(stderr,"load_cert_chain():certfile:%s\n", (char *)
PyBytes_AS_STRING(certfile_bytes));
 +3708      PySSL_BEGIN_ALLOW_THREADS_S(pw_info.thread_state);
 +3709      r = SSL_CTX_use_certificate_chain_file(self->ctx,
 +3710          PyBytes_AS_STRING(certfile_bytes));
 +3711      PySSL_END_ALLOW_THREADS_S(pw_info.thread_state);
 +3712      if (r != 1) {
 +3713  fprintf(stderr,"load_cert_chain():r:%d: errno:%d
ERR_peek_last_error():%d\n", r, errno, ERR_peek_last_error());

load_cert_chain():certfile:/data/prj/python/git/python3-3.8/Lib/test/XXXnonexisting.pem
load_cert_chain():r:0: errno:2 ERR_peek_last_error():0
load_cert_chain():certfile:/data/prj/python/git/python3-3.8/Lib/test/nullcert.pem
load_cert_chain():r:0: errno:0 ERR_peek_last_error():0

Note: I swapped BADCERT and NULLCERT, so now above shows with NULLCERT,
while below

* Below: the first failure - is an OSError (file does not exist, and
passes the test). The second test is "badcert" and AIX is not reporting
the error via ERR_peek_last_error(), but is does seem there is an error
that 'openssl' does return. The third is just to show a connection where
CAfile provides the needed data (for comparison)

FIRST: works as expected

root@x066:[/data/prj/python/python3-3.8]openssl s_client -quiet -connect
www.mindrot.org:443 -CAfile
/data/prj/python/git/python3-3.8/Lib/test/XXXnonex>
804401144:error:02001002:system library:fopen:No such file or
directory:bss_file.c:175:fopen('/data/prj/python/git/python3-3.8/Lib/test/XXXnonexisting.pem','r')
804401144:error:2006D080:BIO routines:BIO_new_file:no such
file:bss_file.c:182:
804401144:error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib:by_file.c:253:
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate

SECOND: there are errors, but not one reported by ERR_peek_last_error()?

BADCERT
root@x066:[/data/prj/python/python3-3.8]openssl s_client -quiet -connect
www.mindrot.org:443 -CAfile
/data/prj/python/git/python3-3.8/Lib/test/badcert.>
804401144:error:0906D064:PEM routines:PEM_read_bio:bad base64
decode:pem_lib.c:830:
804401144:error:0B084009:x509 certificate
routines:X509_load_cert_crl_file:PEM lib:by_file.c:259:
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate

NULLCERT
root@x066:[/data/prj/python/python3-3.8]openssl s_client -quiet -connect
www.mindrot.org:443 -CAfile
/data/prj/python/git/python3-3.8/Lib/test/nullcert>
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate

THIRD: working as expected, for comparison

root@x066:[/data/prj/python/python3-3.8]openssl s_client -quiet -connect
www.mindrot.org:443 -CAfile /var/ssl/cacert.pem
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = mindrot.org
verify return:1

Again - help requested!!!

Michael
History
Date User Action Args
2018-08-21 12:12:48Michael.Feltsetrecipients: + christian.heimes
2018-08-21 12:12:48Michael.Feltlinkissue34194 messages
2018-08-21 12:12:47Michael.Feltcreate