From owner-freebsd-python@freebsd.org Thu Dec 3 13:45:29 2020
Return-Path: <owner-freebsd-python@freebsd.org>
Delivered-To: freebsd-python@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2DF004A6B7D
for <freebsd-python@mailman.nyi.freebsd.org>;
Thu, 3 Dec 2020 13:45:29 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3])
by mx1.freebsd.org (Postfix) with ESMTP id 4CmxtK0cgzz3nbV
for <freebsd-python@freebsd.org>; Thu, 3 Dec 2020 13:45:29 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: by mailman.nyi.freebsd.org (Postfix)
id 1512A4A6FC5; Thu, 3 Dec 2020 13:45:29 +0000 (UTC)
Delivered-To: python@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mailman.nyi.freebsd.org (Postfix) with ESMTP id 13B964A6DDF
for <python@mailman.nyi.freebsd.org>; Thu, 3 Dec 2020 13:45:29 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
[IPv6:2610:1c1:1:606c::19:3])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mxrelay.nyi.freebsd.org",
Issuer "Let's Encrypt Authority X3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4CmxtJ74wkz3nlT
for <python@FreeBSD.org>; Thu, 3 Dec 2020 13:45:28 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
[IPv6:2610:1c1:1:606c::50:1d])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E6A1B1A3DA
for <python@FreeBSD.org>; Thu, 3 Dec 2020 13:45:28 +0000 (UTC)
(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 0B3DjS7Y051419
for <python@FreeBSD.org>; Thu, 3 Dec 2020 13:45:28 GMT
(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 0B3DjS1w051418
for python@FreeBSD.org; Thu, 3 Dec 2020 13:45:28 GMT
(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to
bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: python@FreeBSD.org
Subject: [Bug 251562] lang/python37: SSLError 'certificate verify failed'
despite correct looking /etc/ssl/cert.pem
Date: Thu, 03 Dec 2020 13:45:28 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Ports & Packages
X-Bugzilla-Component: Individual Port(s)
X-Bugzilla-Version: Latest
X-Bugzilla-Keywords:
X-Bugzilla-Severity: Affects Many People
X-Bugzilla-Who: andreas.strauch@hotmail.com
X-Bugzilla-Status: New
X-Bugzilla-Resolution:
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: python@FreeBSD.org
X-Bugzilla-Flags: maintainer-feedback?
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
op_sys bug_status bug_severity priority component assigned_to reporter
flagtypes.name
Message-ID: <bug-251562-21822@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-python@freebsd.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: FreeBSD-specific Python issues <freebsd-python.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-python>,
<mailto:freebsd-python-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-python/>
List-Post: <mailto:freebsd-python@freebsd.org>
List-Help: <mailto:freebsd-python-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-python>,
<mailto:freebsd-python-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2020 13:45:29 -0000
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251562
Bug ID: 251562
Summary: lang/python37: SSLError 'certificate verify failed'
despite correct looking /etc/ssl/cert.pem
Product: Ports & Packages
Version: Latest
Hardware: amd64
OS: Any
Status: New
Severity: Affects Many People
Priority: ---
Component: Individual Port(s)
Assignee: python@FreeBSD.org
Reporter: andreas.strauch@hotmail.com
Flags: maintainer-feedback?(python@FreeBSD.org)
Assignee: python@FreeBSD.org
Overview:
the command 'python3.7 -c "import requests;
print(requests.get('https://server:8443').text)"' fails with a 'certificate
verify failed' error when additional root certificates from the trust store
should be used
Steps to Reproduce:
1) import a self-signed root certificate into /usr/share/certs/trusted, i.e.
use: cp myroot.pem /usr/share/certs/trusted)
2) get fingerprint from root certificate and add softlink to /etc/ssl/certs,
i.e. use: ln -s /usr/share/certs/trusted/myroot.pem /etc/ssl/certs/97efb5b5=
.0
3) append content of myroot.pem to /etc/ssl/cert.pem, i.e. use: cat myroot.=
pem
| sudo tee -a /etc/ssl/cert.pem)
4) verify that OpenSSL can verify a server certificate that is derived from=
the
newly imported root certificate, i.e. use: openssl s_client -connect
server:8443
5) make sure that python is looking into the correct directories for SSL CE=
RTS,
i.e. use: python3.7 -c "import ssl; print(ssl.get_default_verify_paths())"
5) try a python request to the server, i.e. use: python3.7 -c "import reque=
sts;
print(requests.get('https://server:8443').text)"
Actual Results:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py=
",
line 488, in wrap_socket
cnx.do_handshake()
File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1915, =
in
do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1647, =
in
_raise_ssl_error
_raise_current_error()
File "/usr/local/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, =
in
exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate',
'certificate verify failed')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", =
line
677, in urlopen
chunked=3Dchunked,
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", =
line
381, in _make_request
self._validate_conn(conn)
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", =
line
978, in _validate_conn
conn.connect()
File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line
371, in connect
ssl_context=3Dcontext,
File "/usr/local/lib/python3.7/site-packages/urllib3/util/ssl_.py", line =
386,
in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=3Dserver_hostname)
File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py=
",
line 494, in wrap_socket
raise ssl.SSLError("bad handshake: %r" % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines',
'tls_process_server_certificate', 'certificate verify failed')])",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line =
449,
in send
timeout=3Dtimeout
File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", =
line
727, in urlopen
method, url, error=3De, _pool=3Dself, _stacktrace=3Dsys.exc_info()[2]
File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line
446, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=3D'server',
port=3D8443): Max retries exceeded with url: / (Caused by SSLError(SSLError=
("bad
handshake: Error([('SSL routines', 'tls_process_server_certificate',
'certificate verify failed')])")))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in
get
return request('get', url, params=3Dparams, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in
request
return session.request(method=3Dmethod, url=3Durl, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line =
533,
in request
resp =3D self.send(prep, **send_kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line =
646,
in send
r =3D adapter.send(request, **kwargs)
File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line =
514,
in send
raise SSLError(e, request=3Drequest)
requests.exceptions.SSLError: HTTPSConnectionPool(host=3D'server', port=3D8=
443):
Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshak=
e:
Error([('SSL routines', 'tls_process_server_certificate', 'certificate veri=
fy
failed')])")))
Expected Results:
HTML content from the server's website (i.e. 'Hello World')
Additional Information:
When I modify the request so I explicitly tell python to use /etc/ssl/cert.=
pem
for verification, I get my 'Hello World' and no error...
python3.7 -c "import requests; print(requests.get('https://server:8443',
verify=3D'/etc/ssl/cert.pem').text)"
Also, the output of python's ssl.get_default_verify_paths() shows me that it
seems to look all in the right places:
DefaultVerifyPaths(cafile=3D'/etc/ssl/cert.pem', capath=3D'/etc/ssl/certs',
openssl_cafile_env=3D'SSL_CERT_FILE', openssl_cafile=3D'/etc/ssl/cert.pem',
openssl_capath_env=3D'SSL_CERT_DIR', openssl_capath=3D'/etc/ssl/certs')
--=20
You are receiving this mail because:
You are the assignee for the bug.=