Antoine Pitrou added the comment:
> Python's SSL isn't using that. Python is taking in one big text file
> of SSL certs, with no link structure, and feeding it to OpenSSL.
Python's SSL is not "taking" anything:
>>> r = urlopen('https://www.verisign.com')
>>> r.read(10)
b' <!DOCTYPE'
It's only if you feed it that particular CA file that you get the issue:
>>> cafile = 'cacert.pem'
>>> r = urlopen('https://www.verisign.com', cafile=cafile)
[...]
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:600)>
You can *also* feed it a CA directory by using the "CApath" argument (*not*
"CAfile").
Now it remains to be seen why "openssl s_client" works with the file
nevertheless.
----------
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue23476>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
