[New-bugs-announce] [issue23476] SSL cert verify fail for "www.verisign.com"

John Nagle report at bugs.python.org
Wed Feb 18 02:07:17 CET 2015


New submission from John Nagle:

SSL certificate verification fails for "www.verisign.com" when using the cert list from Firefox. Other sites ("google.com", "python.org") verify fine. 

This may be related to a known, and fixed, OpenSSL bug. See:

http://rt.openssl.org/Ticket/Display.html?id=2732&user=guest&pass=guest
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640 

Some versions of OpenSSL are known to be broken for cases where there multiple valid certificate trees.  This happens when one root cert is being phased out in favor of another, and cross-signing is involved.

Python ships with its own copy of OpenSSL on Windows.  Tests
for "www.verisign.com"

Win7, x64:

   Python 2.7.9 with OpenSSL 1.0.1j 15 Oct 2014. FAIL
   Python 3.4.2 with OpenSSL 1.0.1i 6 Aug 2014.  FAIL
   openssl s_client -OpenSSL 1.0.1h 5 Jun 2014   FAIL

Ubuntu 14.04 LTS, x64, using distro's versions of Python:

   Python 2.7.6 - test won't run, needs create_default_context
   Python 3.4.0 with OpenSSL 1.0.1f 6 Jan 2014.  FAIL
   openssl s_client  OpenSSL 1.0.1f 6 Jan 2014   PASS

That's with the same cert file in all cases. The OpenSSL version for Python programs comes from ssl.OPENSSL_VERSION. 

The Linux situation has me puzzled.  On Linux, Python is supposedly using the system version of OpenSSL. The versions match.  Why do Python and the OpenSSL command line client disagree?  Different options passed to OpenSSL by Python?

A simple test program and cert file are attached.  Please try this in your environment.

----------
components: Library (Lib)
files: ssltest.py
messages: 236158
nosy: nagle
priority: normal
severity: normal
status: open
title: SSL cert verify fail for "www.verisign.com"
versions: Python 2.7, Python 3.4
Added file: http://bugs.python.org/file38165/ssltest.py

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23476>
_______________________________________


More information about the New-bugs-announce mailing list