Thanks! That's probably fine for now -- it means the standard library
doesn't know where the root certificates are. We had a huge discussion
about this over on python-tulip:
https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE
TL;DR: The stdlib openssl wrapper ought to know where each platform stores
its root certificates and automatically use them, but it currently doesn't
always. Users who really don't care but still want to use SSL must create
an SSL context with verify_mode set to ssl.CERT_NONE (and live with the
risk, obviously). This stuff passes on OS X only because there's a system
openssl library that always uses the system root certificates.
If anyone can help fixing the ssl.py module (or the _ssl extension) so that
sslcontext.set_default_verify_paths() uses the system root certs on Windows
that would be a huge help. (I have tried this on an Ubuntu box too, and
there it actually works.)
On Fri, Oct 18, 2013 at 3:42 PM, Richard Oudkerk
On 18/10/2013 10:37pm, Guido van Rossum wrote:
Good sleuthing! Does the attached patch fix it?
(Off-topic: the code is pretty inconsistent about catching BaseException. Maybe it shouldn't be caught at all?)
It fixes it in the sense of printing a sensible traceback;-)
$ PYTHONPATH='c:/Repos/tulip' /c/Repos/cpython-33/PCbuild/**python fetch3.py http://dropbox.com -v * Connecting to dropbox.com:80 using tcp * dropbox.com resolves to 108.160.165.62, 108.160.166.62, 199.47.216.179, 199.47.217.179 * New connection ('108.160.165.62', 80, False) * Connected to ('108.160.165.62', 80)
GET / HTTP/1.1 Host: dropbox.com
< HTTP/1.1 301 Moved Permanently < Server: nginx < Date: Fri, 18 Oct 2013 22:40:13 GMT < Content-Type: text/html < Content-Length: 178 < Connection: keep-alive < Location: https://dropbox.com/ < redirect to https://dropbox.com/ * Connecting to dropbox.com:443 using ssl * dropbox.com resolves to 108.160.165.62, 108.160.166.62, 199.47.216.179, 199.47.217.179
Traceback (most recent call last): File "fetch3.py", line 211, in <module> main() File "fetch3.py", line 206, in main
body = loop.run_until_complete(fetch(**sys.argv[1], '-v' in sys.argv)) File "c:\Repos\tulip\asyncio\base_**events.py", line 177, in run_until_complete return future.result() File "c:\Repos\tulip\asyncio\**futures.py", line 221, in result raise self._exception File "c:\Repos\tulip\asyncio\tasks.**py", line 257, in _step result = coro.throw(exc) File "fetch3.py", line 192, in fetch yield from request.connect(pool) File "fetch3.py", line 80, in connect ssl=self.ssl) File "fetch3.py", line 36, in open_connection reader, writer = yield from open_connection(host, port, ssl=ssl) File "c:\Repos\tulip\asyncio\**streams.py", line 41, in open_connection lambda: protocol, host, port, **kwds) File "c:\Repos\tulip\asyncio\base_**events.py", line 356, in create_connection yield from waiter File "c:\Repos\tulip\asyncio\**futures.py", line 318, in __iter__ yield self # This tells Task to wait for completion. File "c:\Repos\tulip\asyncio\tasks.**py", line 308, in _wakeup value = future.result() File "c:\Repos\tulip\asyncio\**futures.py", line 221, in result raise self._exception File "c:\Repos\tulip\asyncio\**selector_events.py", line 579, in _on_handshake self._sock.do_handshake() File "C:\Repos\cpython-33\lib\ssl.**py", line 520, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:553)
-- Richard
-- --Guido van Rossum (python.org/~guido)