Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com"
John Nagle
nagle at animats.com
Tue Feb 17 19:28:50 EST 2015
On 2/17/2015 3:42 PM, Laura Creighton wrote:
> Possibly this bug?
> https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640
>
> Laura
Probably that bug in OpenSSL. Some versions of OpenSSL are
known to be broken for cases where there multiple valid certificate
trees.
Python ships with its own copy of OpenSSL on Windows. Tests
for "www.verisign.com"
Win7, x64:
Python 2.7.9 with OpenSSL 1.0.1j 15 Oct 2014. FAIL
Python 3.4.2 with OpenSSL 1.0.1i 6 Aug 2014. FAIL
openssl s_client -OpenSSL 1.0.1h 5 Jun 2014 FAIL
Ubuntu 14.04 LTS, using distro's versions of Python:
Python 2.7.6 - test won't run, needs create_default_context
Python 3.4.0 with OpenSSL 1.0.1f 6 Jan 2014. FAIL
openssl s_client OpenSSL 1.0.1f 6 Jan 2014 PASS
That's with the same cert file in all cases.
The OpenSSL version for Python programs comes from
ssl.OPENSSL_VERSION.
The Linux situation has me puzzled. On Linux,
Python is supposedly using the system version of OpenSSL.
The versions match. Why do Python and the command line
client disagree? Different options passed to OpenSSL
by Python?
Here's the little test program:
http://www.animats.com/private/sslbug
Please try that and let me know what happens on
other platforms. Works with Python 2.7.9 or 3.x.
John Nagle
More information about the Python-list
mailing list