[issue8484] ssl socket with certificate verification fails on SHA256 digest algorithm

Beda Kosata report at bugs.python.org
Wed Apr 21 13:56:22 CEST 2010

New submission from Beda Kosata <beda at zirael.org>:

When trying a secure connection to an HTTPS server with server certificate verification, I get very strange behaviour when the digest used in the signing certificate is SHA-256 (+RSA).
On Windows with Python 2.6.4 or 2.6.5, I consistently get the following error:

ssl.SSLError: [Errno 1] _ssl.c:480: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm

When I tried to reproduce this on Ubuntu Linux, I found that it either failed with the same error or succeeded in case the hashlib was imported before the actual code. I got the same behaviour on Gentoo Linux with Python 2.6.4 and Fedora 11 and Debian unstable with other versions of Python 2.6.
On Windows, importing hashlib prior to the code does not fix it as is does on Linux.

Using openssl s_client (openssl s_client -connect sha256.tbs-internet.com:443 -CAfile chain.pem) give no error, so the problem is not directly with openssl.
It seems that the Python ssl (_ssl) library does not load properly the corresponding hash modules from openssl or something like this.

I attach a sample script with the hashlib import commented out. I also add a pem file with certificates needed for the code to check the server certificate.

P.S.- I was able to reproduce the same behaviour with another site using SHA-256 base digests.

components: Library (Lib)
files: ssl_check.py
messages: 103823
nosy: beda
severity: normal
status: open
title: ssl socket with certificate verification fails on SHA256 digest algorithm
type: crash
versions: Python 2.6
Added file: http://bugs.python.org/file17021/ssl_check.py

Python tracker <report at bugs.python.org>

More information about the Python-bugs-list mailing list