[issue34078] Broken CRL functionality in ssl.py

New submission from Joe N nettijoe@gmail.com:
CRLs in ssl.py or at the documentation is broken. Specifically I think the documentation here is wrong: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locati...
Here is a stackoverflow post: https://stackoverflow.com/questions/51196492/how-to-use-crls-in-pyopenssl?no...
I made a very user friendly test suite of files to show how it is broken.
Run the code in here (follow readme instructions) to see the bug. https://github.com/nettijoe96/bugInSSL
---------- assignee: christian.heimes components: SSL messages: 321343 nosy: Joe N, christian.heimes, docs@python priority: normal severity: normal status: open title: Broken CRL functionality in ssl.py type: behavior versions: Python 3.6
_______________________________________ Python tracker report@bugs.python.org https://bugs.python.org/issue34078 _______________________________________

Christian Heimes lists@cheimes.de added the comment:
Cert revocation check is working fine for me. I've attached a demo script that uses badssl.com:
$ curl -O http://crl3.digicert.com/ssca-sha2-g5.crl $ openssl crl -in ssca-sha2-g5.crl -inform DER -out ssca-sha2-g5.pem.crl -outform PEM $ python3.7 testcrl.py Traceback (most recent call last): File "testcrl.py", line 19, in <module> s.connect(('revoked.badssl.com', 443)) File "/usr/lib64/python3.7/ssl.py", line 1141, in connect self._real_connect(addr, False) File "/usr/lib64/python3.7/ssl.py", line 1132, in _real_connect self.do_handshake() File "/usr/lib64/python3.7/ssl.py", line 1108, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate revoked (_ssl.c:1045)
openssl s_client:
$ cat /etc/pki/tls/cert.pem ssca-sha2-g5.pem.crl > combined.pem $ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem | grep Verify Verify return code: 0 (ok) $ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem -crl_check | grep Verify Verify return code: 23 (certificate revoked)
---------- Added file: https://bugs.python.org/file47679/testcrl.py
_______________________________________ Python tracker report@bugs.python.org https://bugs.python.org/issue34078 _______________________________________

Christian Heimes lists@cheimes.de added the comment:
No response in over two years. I'm closing the issue. Please feel free to reopen the issue with more information.
---------- resolution: -> out of date stage: -> resolved status: open -> closed
_______________________________________ Python tracker report@bugs.python.org https://bugs.python.org/issue34078 _______________________________________
participants (2)
-
Christian Heimes
-
Joe N