[issue23476] SSL cert verify fail for "www.verisign.com"
Donald Stufft
report at bugs.python.org
Tue Feb 24 17:31:27 CET 2015
Donald Stufft added the comment:
It appears it's not actually an issue with the CA Bundle, but I don't think it's actually an issue with Python, though Python might be in the best situation to try and fix it...
Basically, it appears that OpenSSL does not look inside the trust root for any certificate served by the server. In this case the sites have a chain that looks like A -> B -> NEW ROOT being served by the server, and NEW ROOT is also signed by OLD ROOT. If I construct the chain being sent from the server so it doens't have NEW ROOT, then everything works, but if the chain being sent from the server has NEW ROOT, then OpenSSL will only trust it if OLD ROOT is in the trust bundle. In this case Mozilla (and requests) has NEW ROOT in the trust bundle but not OLD ROOT, becuase OLD ROOT is a 1024 bit key.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23476>
_______________________________________
More information about the Python-bugs-list
mailing list