Date: Thu, 03 Dec 2020 13:45:28 +0000 From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: maintainer-feedback requested: [Bug 251562] lang/python37: SSLError 'certificate verify failed' despite correct looking /etc/ssl/cert.pem Message-ID: <bug-251562-21822-ZTuvJcKhxr@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-251562-21822@https.bugs.freebsd.org/bugzilla/> References: <bug-251562-21822@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
Bugzilla Automation <bugzilla@FreeBSD.org> has asked freebsd-python (Nobody) <python@FreeBSD.org> for maintainer-feedback: Bug 251562: lang/python37: SSLError 'certificate verify failed' despite cor= rect looking /etc/ssl/cert.pem https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251562 --- Description --- Overview: the command 'python3.7 -c "import requests; print(requests.get('https://server:8443').text)"' fails with a 'certificate verify failed' error when additional root certificates from the trust store should be used Steps to Reproduce: 1) import a self-signed root certificate into /usr/share/certs/trusted, i.e. use: cp myroot.pem /usr/share/certs/trusted) 2) get fingerprint from root certificate and add softlink to /etc/ssl/certs, i.e. use: ln -s /usr/share/certs/trusted/myroot.pem /etc/ssl/certs/97efb5b5= .0 3) append content of myroot.pem to /etc/ssl/cert.pem, i.e. use: cat myroot.= pem | sudo tee -a /etc/ssl/cert.pem) 4) verify that OpenSSL can verify a server certificate that is derived from= the newly imported root certificate, i.e. use: openssl s_client -connect server:8443 5) make sure that python is looking into the correct directories for SSL CE= RTS, i.e. use: python3.7 -c "import ssl; print(ssl.get_default_verify_paths())" 5) try a python request to the server, i.e. use: python3.7 -c "import reque= sts; print(requests.get('https://server:8443').text)" Actual Results: Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py= ", line 488, in wrap_socket cnx.do_handshake() File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1915, = in do_handshake self._raise_ssl_error(self._ssl, result) File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1647, = in _raise_ssl_error _raise_current_error() File "/usr/local/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, = in exception_from_error_queue raise exception_type(errors) OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", = line 677, in urlopen chunked=3Dchunked, File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", = line 381, in _make_request self._validate_conn(conn) File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", = line 978, in _validate_conn conn.connect() File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 371, in connect ssl_context=3Dcontext, File "/usr/local/lib/python3.7/site-packages/urllib3/util/ssl_.py", line = 386, in ssl_wrap_socket return context.wrap_socket(sock, server_hostname=3Dserver_hostname) File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py= ", line 494, in wrap_socket raise ssl.SSLError("bad handshake: %r" % e) ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])",) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line = 449, in send timeout=3Dtimeout File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", = line 727, in urlopen method, url, error=3De, _pool=3Dself, _stacktrace=3Dsys.exc_info()[2] File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 446, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=3D'server', port=3D8443): Max retries exceeded with url: / (Caused by SSLError(SSLError= ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in get return request('get', url, params=3Dparams, **kwargs) File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in request return session.request(method=3Dmethod, url=3Durl, **kwargs) File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line = 533, in request resp =3D self.send(prep, **send_kwargs) File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line = 646, in send r =3D adapter.send(request, **kwargs) File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line = 514, in send raise SSLError(e, request=3Drequest) requests.exceptions.SSLError: HTTPSConnectionPool(host=3D'server', port=3D8= 443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshak= e: Error([('SSL routines', 'tls_process_server_certificate', 'certificate veri= fy failed')])"))) Expected Results: HTML content from the server's website (i.e. 'Hello World') Additional Information: When I modify the request so I explicitly tell python to use /etc/ssl/cert.= pem for verification, I get my 'Hello World' and no error... python3.7 -c "import requests; print(requests.get('https://server:8443', verify=3D'/etc/ssl/cert.pem').text)" Also, the output of python's ssl.get_default_verify_paths() shows me that it seems to look all in the right places: DefaultVerifyPaths(cafile=3D'/etc/ssl/cert.pem', capath=3D'/etc/ssl/certs', openssl_cafile_env=3D'SSL_CERT_FILE', openssl_cafile=3D'/etc/ssl/cert.pem', openssl_capath_env=3D'SSL_CERT_DIR', openssl_capath=3D'/etc/ssl/certs')
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-251562-21822-ZTuvJcKhxr>