[issue34078] Broken CRL functionality in ssl.py
New submission from Joe N <nettijoe@gmail.com>: CRLs in ssl.py or at the documentation is broken. Specifically I think the documentation here is wrong: https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locati... Here is a stackoverflow post: https://stackoverflow.com/questions/51196492/how-to-use-crls-in-pyopenssl?no... I made a very user friendly test suite of files to show how it is broken. Run the code in here (follow readme instructions) to see the bug. https://github.com/nettijoe96/bugInSSL ---------- assignee: christian.heimes components: SSL messages: 321343 nosy: Joe N, christian.heimes, docs@python priority: normal severity: normal status: open title: Broken CRL functionality in ssl.py type: behavior versions: Python 3.6 _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue34078> _______________________________________
Christian Heimes <lists@cheimes.de> added the comment: Cert revocation check is working fine for me. I've attached a demo script that uses badssl.com: $ curl -O http://crl3.digicert.com/ssca-sha2-g5.crl $ openssl crl -in ssca-sha2-g5.crl -inform DER -out ssca-sha2-g5.pem.crl -outform PEM $ python3.7 testcrl.py Traceback (most recent call last): File "testcrl.py", line 19, in <module> s.connect(('revoked.badssl.com', 443)) File "/usr/lib64/python3.7/ssl.py", line 1141, in connect self._real_connect(addr, False) File "/usr/lib64/python3.7/ssl.py", line 1132, in _real_connect self.do_handshake() File "/usr/lib64/python3.7/ssl.py", line 1108, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate revoked (_ssl.c:1045) openssl s_client: $ cat /etc/pki/tls/cert.pem ssca-sha2-g5.pem.crl > combined.pem $ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem | grep Verify Verify return code: 0 (ok) $ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem -crl_check | grep Verify Verify return code: 23 (certificate revoked) ---------- Added file: https://bugs.python.org/file47679/testcrl.py _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue34078> _______________________________________
Christian Heimes <lists@cheimes.de> added the comment: No response in over two years. I'm closing the issue. Please feel free to reopen the issue with more information. ---------- resolution: -> out of date stage: -> resolved status: open -> closed _______________________________________ Python tracker <report@bugs.python.org> <https://bugs.python.org/issue34078> _______________________________________
participants (2)
-
Christian Heimes
-
Joe N