Python 2.7.9, 3.4.2 won't verify SSL cert for "verisign.com"

John Nagle nagle at animats.com
Tue Feb 17 02:05:31 EST 2015 

Python 2.7.9, Windows 7 x64.
(also 3.4.2 on Win7, and 3.4.0 on Ubuntu 14.04)

   There's something about the SSL cert for "https://www.verisign.com"
that won't verify properly from Python.    The current code looks
like this:

def testurlopen(host, certfile) :
    port = httplib.HTTPS_PORT
    sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    context = ssl.create_default_context(cafile=certfile)
    sock = context.wrap_socket(sk, server_hostname=host)
    try:
        sock.connect((host,port))
    except EnvironmentError as message :
        print("Connection to \"%s\" failed: %s." % (host, message))

        return False
    print("Connection to \"%s\" succeeded." % (host,))
    return True

Works for "python.org", "google.com", etc.  I can connect to and
dump the server's certificate for those sites.  But for "verisign.com"
and "www.verisign.com", I get

Connection to "verisign.com" failed: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:581).

The certificate file, "cacert.pem", comes from Mozila's list of
approved certificates, obtained from here:

http://curl.haxx.se/ca/cacert.pem

It has the cert for
"VeriSign Class 3 Public Primary Certification Authority - G5"
which is the root cert for "verisign.com".

After loading that cert file into an SSL context, I can dump the
context from Python with context.get_ca_certs()
and get this dict for that cert:

Cert: {'notBefore': u'Nov  8 00:00:00 2006 GMT',
'serialNumber': u'18DAD19E267DE8BB4A2158CDCC6B3B4A',
'notAfter': 'Jul 16 23:59:59 2036 GMT',
'version': 3L,
'subject': ((('countryName', u'US'),), (('organizationName', u'VeriSign,
Inc.'),),
(('organizationalUnitName', u'VeriSign Trust Network'),),
(('organizationalUnitName', u'(c) 2006 VeriSign, Inc. - For authorized
use only'),),
(('commonName', u'VeriSign Class 3 Public Primary Certification
Authority - G5'),)),
'issuer': ((('countryName', u'US
'),), (('organizationName', u'VeriSign, Inc.'),),
(('organizationalUnitName', u'VeriSign Trust Network'),),
(('organizationalUnitName', u'(c) 2006 VeriSign, Inc. - For authorized
use only'),), (('commonName', u'VeriSign Class 3 Public Primary
Certification Authority - G5'),))}

Firefox is happy with that cert.  The serial number of the root
cert matches the root cert Firefox displays.  So the root cert file
being used has the right cert for the cert chain back from
"www.verisign.com".

If I dump ssl.OPENSSL_VERSION from Python, I get "OpenSSL 1.0.1j 15 Oct
2014".  That's an OK version.

Something about that cert is unacceptable to the Python SSL module, but
what?  "CERTIFICATE VERIFY FAILED" doesn't tell me enough to
diagnose the problem.


				John Nagle

More information about the Python-list mailing list