Message 409532 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	kacper
Recipients	christian.heimes, kacper
Date	2022-01-02.22:03:18
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1641160999.16.0.149653140984.issue46232@roundup.psfhosted.org>
In-reply-to

Content
Currently all subject sets of a client certificate are treated as UTF8 strings using the ASN1_STRING_to_UTF8 function (https://github.com/python/cpython/blob/8d999cbf4adea053be6dbb612b9844635c4dfb8e/Modules/_ssl.c#L912), however RFC 5280 states that the UniqueIdentifier is of type BIT STRING. Passing a BIT STRING into the ASN1_STRING_to_UTF8 function seems to return -1 and subsequently fail a SSL handshake. Traceback (most recent call last): File "/usr/lib64/python3.6/asyncio/events.py", line 145, in _run self._callback(*self._args) File "/usr/lib64/python3.6/site-packages/tornado/platform/asyncio.py", line 138, in _handle_events handler_func(fileobj, events) File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 702, in _handle_events self._handle_read() File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1471, in _handle_read self._do_ssl_handshake() File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1431, in _do_ssl_handshake if not self._verify_cert(self.socket.getpeercert()): File "/usr/lib64/python3.6/ssl.py", line 860, in getpeercert return self._sslobj.getpeercert(binary_form) File "/usr/lib64/python3.6/ssl.py", line 610, in getpeercert return self._sslobj.peer_certificate(binary_form) ssl.SSLError: unknown error (_ssl.c:959) (line 959 of _ssl.c corresponds to https://github.com/python/cpython/blob/8d999cbf4adea053be6dbb612b9844635c4dfb8e/Modules/_ssl.c#L914) https://github.com/pyca/cryptography/issues/3542 might be of interest for further discussion.

Currently all subject sets of a client certificate are treated as UTF8 strings using the ASN1_STRING_to_UTF8 function (https://github.com/python/cpython/blob/8d999cbf4adea053be6dbb612b9844635c4dfb8e/Modules/_ssl.c#L912), however RFC 5280 states that the UniqueIdentifier is of type BIT STRING. Passing a BIT STRING into the ASN1_STRING_to_UTF8 function seems to return -1 and subsequently fail a SSL handshake.

Traceback (most recent call last):
  File "/usr/lib64/python3.6/asyncio/events.py", line 145, in _run
    self._callback(*self._args)
  File "/usr/lib64/python3.6/site-packages/tornado/platform/asyncio.py", line 138, in _handle_events
    handler_func(fileobj, events)
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 702, in _handle_events
    self._handle_read()
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1471, in _handle_read
    self._do_ssl_handshake()
  File "/usr/lib64/python3.6/site-packages/tornado/iostream.py", line 1431, in _do_ssl_handshake
    if not self._verify_cert(self.socket.getpeercert()):
  File "/usr/lib64/python3.6/ssl.py", line 860, in getpeercert
    return self._sslobj.getpeercert(binary_form)
  File "/usr/lib64/python3.6/ssl.py", line 610, in getpeercert
    return self._sslobj.peer_certificate(binary_form)
ssl.SSLError: unknown error (_ssl.c:959)

(line 959 of _ssl.c corresponds to https://github.com/python/cpython/blob/8d999cbf4adea053be6dbb612b9844635c4dfb8e/Modules/_ssl.c#L914)

https://github.com/pyca/cryptography/issues/3542 might be of interest for further discussion.

History
Date	User	Action	Args
2022-01-02 22:03:19	kacper	set	recipients: + kacper, christian.heimes
2022-01-02 22:03:19	kacper	set	messageid: <1641160999.16.0.149653140984.issue46232@roundup.psfhosted.org>
2022-01-02 22:03:19	kacper	link	issue46232 messages
2022-01-02 22:03:18	kacper	create