[pyOpenSSL] Problem with pyOpenSSL 0.10 and OpenSSL 0.9.8m
M.-A. Lemburg
mal at egenix.com
Mon Mar 15 21:55:08 CET 2010
exarkun at twistedmatrix.com wrote:
> On 12:04 pm, mal at egenix.com wrote:
>> M.-A. Lemburg wrote:
>>> OpenSSL just released version 0.9.8m where they changed the
>>> SSL renegotiation scheme to now follow RFC 5746 instead of
>>> just disabling it completely:
>>>
>>> http://tools.ietf.org/html/rfc5746
>>>
>>> pyOpenSSL compiles against the new version without problems,
>>> but one of the unit tests fails on Linux x64 (and perhaps
>>> other platforms as well):
>>>> python OpenSSL/test/test_ssl.py
>>> .......E....
>>> ======================================================================
>>> ERROR: test_set_default_verify_paths (__main__.ContextTests)
>>> ----------------------------------------------------------------------
>>> Traceback (most recent call last):
>>> File "OpenSSL/test/test_ssl.py", line 253, in
>>> test_set_default_verify_paths
>>> clientSSL.do_handshake()
>>> Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate
>>> verify failed')]
>>>
>>> ----------------------------------------------------------------------
>>> Ran 12 tests in 0.660s
>>>
>>> FAILED (errors=1)
>>>
>>> The test connects to https://verisign.com/
>>> I've tried a few other sites as well, but always get the same
>>> error.
>>
>> I tried the same on Linux x86 with the same results.
>>
>> I then also checked pyOpenSSL 0.9.0 with OpenSSL 0.9.8l
>> and again get the same results.
>>
>> Perhaps there's something wrong with my test setup ? I've
>> done the tests on two different machines.
>
> This test depends on OpenSSL having been built so that it has access to
> the platform-provided CA certificate database. It sounds like your
> builds weren't done this way.
>
> I've never actually built OpenSSL this way myself, and I have very
> little idea what is involved in doing so. I know that Ubuntu's OpenSSL
> builds have this enabled, but as far as I know none of the other widely
> used builds for other platforms do (I've looked at OS X and Windows and
> they don't, I'm not sure about other Linux distros).
>
> Unfortunately I don't have much more info than that about the feature,
> so I can't make any suggestions about how to check to see if this is
> really the problem, or how to change the build in order to fix it.
Thanks for the hint. Here's the full background:
http://www.madboa.com/geek/openssl/#verify-system
Different OSes place the trusted certificate database files in
different places and non of them uses the OpenSSL default which
is /usr/local/ssl and a subdir certs/.
The only way to work around this appears to be to call
ctx.load_verify_locations() to point the context to the
right set of trusted certificates.
I believe that the test should apply such a setup for
the verisign.com certificate authority instead of
relying on a platform provided default setup, ie. use
its own certs/ subdir with the root CA certificates that
are used by verisign.com.
In any case, the above test failure is a problem with the test
setup more than anything else.
Here's a version of the test which works on OpenSUSE:
# Arg, verisign.com doesn't speak TLSv1
context = Context(SSLv3_METHOD)
#context.set_default_verify_paths()
context.load_verify_locations(None, '/etc/ssl/certs')
context.set_verify(
VERIFY_PEER,
lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
client = socket()
client.connect(('verisign.com', 443))
clientSSL = Connection(context, client)
clientSSL.set_connect_state()
clientSSL.do_handshake()
clientSSL.send('GET / HTTP/1.0\r\n\r\n')
self.assertTrue(clientSSL.recv(1024))
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source (#1, Mar 15 2010)
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the pyopenssl-users
mailing list