From owner-freebsd-python@freebsd.org Thu Dec 3 13:45:29 2020 Return-Path: Delivered-To: freebsd-python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2DF004A6B7D for ; Thu, 3 Dec 2020 13:45:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mailman.nyi.freebsd.org (unknown [127.0.1.3]) by mx1.freebsd.org (Postfix) with ESMTP id 4CmxtK0cgzz3nbV for ; Thu, 3 Dec 2020 13:45:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: by mailman.nyi.freebsd.org (Postfix) id 1512A4A6FC5; Thu, 3 Dec 2020 13:45:29 +0000 (UTC) Delivered-To: python@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 13B964A6DDF for ; Thu, 3 Dec 2020 13:45:29 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CmxtJ74wkz3nlT for ; Thu, 3 Dec 2020 13:45:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E6A1B1A3DA for ; Thu, 3 Dec 2020 13:45:28 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 0B3DjS7Y051419 for ; Thu, 3 Dec 2020 13:45:28 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 0B3DjS1w051418 for python@FreeBSD.org; Thu, 3 Dec 2020 13:45:28 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: python@FreeBSD.org Subject: [Bug 251562] lang/python37: SSLError 'certificate verify failed' despite correct looking /etc/ssl/cert.pem Date: Thu, 03 Dec 2020 13:45:28 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: andreas.strauch@hotmail.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: python@FreeBSD.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-python@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: FreeBSD-specific Python issues List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Dec 2020 13:45:29 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D251562 Bug ID: 251562 Summary: lang/python37: SSLError 'certificate verify failed' despite correct looking /etc/ssl/cert.pem Product: Ports & Packages Version: Latest Hardware: amd64 OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: python@FreeBSD.org Reporter: andreas.strauch@hotmail.com Flags: maintainer-feedback?(python@FreeBSD.org) Assignee: python@FreeBSD.org Overview: the command 'python3.7 -c "import requests; print(requests.get('https://server:8443').text)"' fails with a 'certificate verify failed' error when additional root certificates from the trust store should be used Steps to Reproduce: 1) import a self-signed root certificate into /usr/share/certs/trusted, i.e. use: cp myroot.pem /usr/share/certs/trusted) 2) get fingerprint from root certificate and add softlink to /etc/ssl/certs, i.e. use: ln -s /usr/share/certs/trusted/myroot.pem /etc/ssl/certs/97efb5b5= .0 3) append content of myroot.pem to /etc/ssl/cert.pem, i.e. use: cat myroot.= pem | sudo tee -a /etc/ssl/cert.pem) 4) verify that OpenSSL can verify a server certificate that is derived from= the newly imported root certificate, i.e. use: openssl s_client -connect server:8443 5) make sure that python is looking into the correct directories for SSL CE= RTS, i.e. use: python3.7 -c "import ssl; print(ssl.get_default_verify_paths())" 5) try a python request to the server, i.e. use: python3.7 -c "import reque= sts; print(requests.get('https://server:8443').text)" Actual Results: Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py= ", line 488, in wrap_socket cnx.do_handshake() File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1915, = in do_handshake self._raise_ssl_error(self._ssl, result) File "/usr/local/lib/python3.7/site-packages/OpenSSL/SSL.py", line 1647, = in _raise_ssl_error _raise_current_error() File "/usr/local/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, = in exception_from_error_queue raise exception_type(errors) OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", = line 677, in urlopen chunked=3Dchunked, File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", = line 381, in _make_request self._validate_conn(conn) File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", = line 978, in _validate_conn conn.connect() File "/usr/local/lib/python3.7/site-packages/urllib3/connection.py", line 371, in connect ssl_context=3Dcontext, File "/usr/local/lib/python3.7/site-packages/urllib3/util/ssl_.py", line = 386, in ssl_wrap_socket return context.wrap_socket(sock, server_hostname=3Dserver_hostname) File "/usr/local/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py= ", line 494, in wrap_socket raise ssl.SSLError("bad handshake: %r" % e) ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])",) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line = 449, in send timeout=3Dtimeout File "/usr/local/lib/python3.7/site-packages/urllib3/connectionpool.py", = line 727, in urlopen method, url, error=3De, _pool=3Dself, _stacktrace=3Dsys.exc_info()[2] File "/usr/local/lib/python3.7/site-packages/urllib3/util/retry.py", line 446, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=3D'server', port=3D8443): Max retries exceeded with url: / (Caused by SSLError(SSLError= ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')])"))) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "", line 1, in File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 75, in get return request('get', url, params=3Dparams, **kwargs) File "/usr/local/lib/python3.7/site-packages/requests/api.py", line 60, in request return session.request(method=3Dmethod, url=3Durl, **kwargs) File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line = 533, in request resp =3D self.send(prep, **send_kwargs) File "/usr/local/lib/python3.7/site-packages/requests/sessions.py", line = 646, in send r =3D adapter.send(request, **kwargs) File "/usr/local/lib/python3.7/site-packages/requests/adapters.py", line = 514, in send raise SSLError(e, request=3Drequest) requests.exceptions.SSLError: HTTPSConnectionPool(host=3D'server', port=3D8= 443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshak= e: Error([('SSL routines', 'tls_process_server_certificate', 'certificate veri= fy failed')])"))) Expected Results: HTML content from the server's website (i.e. 'Hello World') Additional Information: When I modify the request so I explicitly tell python to use /etc/ssl/cert.= pem for verification, I get my 'Hello World' and no error... python3.7 -c "import requests; print(requests.get('https://server:8443', verify=3D'/etc/ssl/cert.pem').text)" Also, the output of python's ssl.get_default_verify_paths() shows me that it seems to look all in the right places: DefaultVerifyPaths(cafile=3D'/etc/ssl/cert.pem', capath=3D'/etc/ssl/certs', openssl_cafile_env=3D'SSL_CERT_FILE', openssl_cafile=3D'/etc/ssl/cert.pem', openssl_capath_env=3D'SSL_CERT_DIR', openssl_capath=3D'/etc/ssl/certs') --=20 You are receiving this mail because: You are the assignee for the bug.=