Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.python > #85756
| Path | csiph.com!usenet.pasdenom.info!weretis.net!feeder4.news.weretis.net!feeds.phibee-telecom.net!newsfeed.xs4all.nl!newsfeed1a.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail |
|---|---|
| Return-Path | <nagle@animats.com> |
| X-Original-To | python-list@python.org |
| Delivered-To | python-list@mail.python.org |
| X-Spam-Status | OK 0.008 |
| X-Spam-Evidence | '*H*': 0.98; '*S*': 0.00; 'subject:Python': 0.06; 'laura': 0.07; 'creighton': 0.09; 'extracted': 0.09; 'skip:/ 10': 0.09; 'cc:addr:python-list': 0.11; 'python': 0.11; 'client:': 0.16; 'reproduce': 0.16; 'subject:SSL': 0.16; 'exception': 0.16; 'wrote:': 0.18; 'library': 0.18; 'variable': 0.18; 'module': 0.19; 'later': 0.20; 'seems': 0.21; 'command': 0.22; 'issue.': 0.22; 'cc:addr:python.org': 0.22; 'header:User-Agent:1': 0.23; 'error': 0.23; 'errors.': 0.24; 'instance,': 0.24; 'file.': 0.24; 'environment': 0.24; 'cc:2**0': 0.24; 'cc:no real name:2**0': 0.24; "i've": 0.25; 'this:': 0.26; 'pass': 0.26; 'code:': 0.26; 'header:In-Reply-To:1': 0.27; 'point': 0.28; 'am,': 0.29; "doesn't": 0.30; 'errors': 0.30; 'along': 0.30; 'work.': 0.31; 'requests': 0.31; 'file': 0.32; 'this.': 0.32; 'text': 0.33; 'problem': 0.35; 'problem.': 0.35; 'something': 0.35; 'test': 0.35; 'ubuntu': 0.36; 'url:org': 0.36; 'so,': 0.37; 'level': 0.37; 'generic': 0.38; 'changed': 0.39; 'remove': 0.60; 'subject:"': 0.60; 'most': 0.60; 'john': 0.61; 'more': 0.64; 'charset:windows-1252': 0.65; 'present.': 0.74; 'hand': 0.80; 'issuer': 0.84; 'ships': 0.84; 'certificates': 0.91; 'url:latest': 0.91 |
| Date | Tue, 17 Feb 2015 14:57:35 -0800 |
| From | John Nagle <nagle@animats.com> |
| User-Agent | Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 |
| MIME-Version | 1.0 |
| Newsgroups | comp.lang.python |
| To | Laura Creighton <lac@openend.se> |
| Subject | Re: Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com" |
| References | <mbup6k$vgt$1@dont-email.me> <mailman.18781.1424160053.18130.python-list@python.org> |
| In-Reply-To | <mailman.18781.1424160053.18130.python-list@python.org> |
| Content-Type | text/plain; charset=windows-1252 |
| Content-Transfer-Encoding | 7bit |
| X-Sonic-CAuth | UmFuZG9tSVYLKS1xTQjyIt9Tff+lRrHytRN2B+/pjrQyU/+SnMzukn7JVvGZtU8V4wI71DR6t6k3Hlm85jBU6BjhRAqrSRw9 |
| X-Sonic-ID | C;aMCAXPi25BGfA9UUxQPdhw== M;WizIXPi25BGfA9UUxQPdhw== |
| X-Spam-Flag | No |
| X-Sonic-Spam-Details | 0.0/5.0 by cerberusd |
| Cc | python-list@python.org |
| X-BeenThere | python-list@python.org |
| X-Mailman-Version | 2.1.15 |
| Precedence | list |
| List-Id | General discussion list for the Python programming language <python-list.python.org> |
| List-Unsubscribe | <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe> |
| List-Archive | <http://mail.python.org/pipermail/python-list/> |
| List-Post | <mailto:python-list@python.org> |
| List-Help | <mailto:python-list-request@python.org?subject=help> |
| List-Subscribe | <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe> |
| Message-ID | <mailman.18795.1424214533.18130.python-list@python.org> (permalink) |
| Lines | 43 |
| NNTP-Posting-Host | 2001:888:2000:d::a6 |
| X-Trace | 1424214533 news.xs4all.nl 2874 [2001:888:2000:d::a6]:56772 |
| X-Complaints-To | abuse@xs4all.nl |
| Xref | csiph.com comp.lang.python:85756 |
Show key headers only | View raw
If I remove certs from my "cacert.pem" file passed to
create_default_context, the Python test program rejects domains
it will pass with the certs present. It's using that file.
So that's not it. It seems to be an OpenSSL or cert file
problem. I can reproduce the problem with the OpenSSL command
line client:
openssl s_client -connect www.verisign.com:443 -CAfile cacert.pem
fails for "www.verisign.com", where "cacert.pem" has been extracted
from Firefox's cert store.
The error message from OpenSSL
Verify return code: 20 (unable to get local issuer certificate)
Try the same OpenSSL command for other domains ("google.com",
"python.org") and no errors are reported. More later on this.
So it's not a Python level issue. The only Python-specific
problem is that the Python library doesn't pass detailed
OpenSSL error codes through in exceptions. The Python exception
text is "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:581).", which is a generic message for most OpenSSL errors.
John Nagle
On 2/17/2015 12:00 AM, Laura Creighton wrote:
> I've seen something like this:
>
> The requests module http://docs.python-requests.org/en/latest/
> ships with its own set of certificates "cacert.pem"
> and ignores the system wide ones -- so, for instance, adding certificates
> to /etc/ssl/certs on your debian or ubuntu system won't work. I edited
> it by hand and then changed the REQUESTS_CA_BUNDLE environment variable
> to point to it.
>
> Perhaps your problem is along the same lines?
>
> Laura
>
Back to comp.lang.python | Previous | Next — Previous in thread | Find similar | Unroll thread
Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com" John Nagle <nagle@animats.com> - 2015-02-16 23:05 -0800
Re: Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com" Laura Creighton <lac@openend.se> - 2015-02-17 09:00 +0100
Re: Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com" John Nagle <nagle@animats.com> - 2015-02-17 14:57 -0800
Re: Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com" Laura Creighton <lac@openend.se> - 2015-02-18 00:42 +0100
Re: Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com" John Nagle <nagle@animats.com> - 2015-02-17 16:28 -0800
Re: Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com" Laura Creighton <lac@openend.se> - 2015-02-18 08:49 +0100
Re: Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com" John Nagle <nagle@animats.com> - 2015-02-17 14:57 -0800
csiph-web