[Python-Dev] Proposal for better SSL errors

Antoine Pitrou solipsis at pitrou.net
Sat May 26 21:28:51 CEST 2012 

Hello,

In http://bugs.python.org/issue14837 I have attached a proof-of-concept
patch to improve the exceptions raised by the ssl module when OpenSSL
signals an error. The current situation is quite dismal, since you get
a sometimes cryptic error message with no viable opportunities for
programmatic introspection:

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> ctx.verify_mode = ssl.CERT_REQUIRED
>>> sock = socket.create_connection(("svn.python.org", 443))
>>> sock = ctx.wrap_socket(sock)
Traceback (most recent call last):
[...]
ssl.SSLError: [Errno 1] _ssl.c:420: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


SSLError instances only have a "errno" attribute which doesn't actually
contain a meaningful value.

With the posted patch, the above error becomes:

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> ctx.verify_mode = ssl.CERT_REQUIRED
>>> sock = socket.create_connection(("svn.python.org", 443))
>>> sock = ctx.wrap_socket(sock)
Traceback (most recent call last):
[...]
ssl.SSLError: [Errno 5] [SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed (_ssl.c:494) [88296 refs]


Not only does the error string contain more valuable information (the
mnemonics "SSL" and "CERTIFICATE_VERIFY_FAILED" indicate, respectively,
in which subpart of OpenSSL and which precise error occurred), but they
are also introspectable:

>>> e = sys.last_value
>>> e.library
'SSL'
>>> e.reason
'CERTIFICATE_VERIFY_FAILED'

(these mnemonics correspond to OpenSSL's own #define'd numeric codes. I
find it more Pythonic to expose the mnemonics than the numbers, though.
Of course, the numbers <-> mnemnonics mappings can be separately
exposed)

You'll note there is still a "Errno 5" in that error message; I don't
really know what to do with it. Hard-wiring the errno attribute to
something like None *might* break existing software, although that
would be unlikely since the current errno value is quite meaningless
and confusing (it has nothing to do with POSIX errnos).


To clarify a bit my request, I am asking for feedback on the principle
more than on the implementation right now.

Regards

Antoine.

More information about the Python-Dev mailing list