[New-bugs-announce] [issue9706] ssl errors checking

Giampaolo Rodola' report at bugs.python.org
Sat Aug 28 21:19:03 CEST 2010 

New submission from Giampaolo Rodola' <g.rodola at gmail.com>:

There are various errors I think ssl module should check.
In the examples below I'll always refer to ssl.wrap_socket() function but I expect that ssl.SSLContext suffers the exact same issues.

=== server side mode ===

When server_side option is set to True it is always required that at least a certfile argument is specified. This condition is not verified if the socket is still not connected:

>>> ssl.wrap_socket(socket.socket(), server_side=1)
<ssl.SSLSocket object, fd=3, family=2, type=1, proto=0>

...later on, when the socket will be connected, we'll get this message:

SSLError: _ssl.c:296: Both the key & certificate files must be specified for server-side operation

I would change this behavior in SSLSocket constructor and raise ValueError if server_side is True and certfile is None.
Also, the message coming from the C code should be adjusted to state than keyfile argument is not mandatory.


=== server side on connect ===

>>> s = ssl.wrap_socket(socket.socket(), server_side=1)
>>> s.connect(('blogger.com', 443))
>>> 

For consistency I would expect something like ValueError("can't connect in server-side mode") on connect().


=== no such certfile ===

>>> os.path.exists('xxx')
False
>>> ssl.wrap_socket(socket.socket(), certfile='xxx')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/giampaolo/svn/python-3.2/Lib/ssl.py", line 404, in wrap_socket
    ciphers=ciphers)
  File "/home/giampaolo/svn/python-3.2/Lib/ssl.py", line 132, in __init__
    self.context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [Errno 336445442] _ssl.c:1604: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
>>> 

A simple "IOError No such file or directory 'xxx'" exception would be a lot more clear.


=== invalid certfile ===

>>> open('foo', 'w').write('blabla')
6
>>> ssl.wrap_socket(socket.socket(), certfile="foo")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/home/giampaolo/svn/python-3.2/Lib/ssl.py", line 404, in wrap_socket
    ciphers=ciphers)
  File "/home/giampaolo/svn/python-3.2/Lib/ssl.py", line 132, in __init__
    self.context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [Errno 336445449] _ssl.c:1604: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
>>> 

If possible, the error should be more clear about what happened. Something like "malformed certfile was provided" or something.

----------
messages: 115166
nosy: giampaolo.rodola, janssen, pitrou
priority: normal
severity: normal
status: open
title: ssl errors checking
versions: Python 3.2

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue9706>
_______________________________________

More information about the New-bugs-announce mailing list