[issue23476] SSL cert verify fail for "www.verisign.com"
Antoine Pitrou
report at bugs.python.org
Tue Feb 24 17:22:57 CET 2015
Antoine Pitrou added the comment:
> and it is not reproducible using openssl s_client
I have determined that s_client is buggy. It will always load the system certs *if and only if* you also pass it a valid custom CA cert (which is the reverse of what's expected).
This is where it happens (in apps/s_client.c):
if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx))) {
/*
* BIO_printf(bio_err,"error setting default verify locations\n");
*/
ERR_print_errors(bio_err);
/* goto end; */
}
This is why I forced SSL_CERT_* to empty locations in the examples above, so that only the custom CA bundle is used.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23476>
_______________________________________
More information about the Python-bugs-list
mailing list