Christian Heimes <li...@cheimes.de> added the comment:
Cert revocation check is working fine for me. I've attached a demo script that uses badssl.com: $ curl -O http://crl3.digicert.com/ssca-sha2-g5.crl $ openssl crl -in ssca-sha2-g5.crl -inform DER -out ssca-sha2-g5.pem.crl -outform PEM $ python3.7 testcrl.py Traceback (most recent call last): File "testcrl.py", line 19, in <module> s.connect(('revoked.badssl.com', 443)) File "/usr/lib64/python3.7/ssl.py", line 1141, in connect self._real_connect(addr, False) File "/usr/lib64/python3.7/ssl.py", line 1132, in _real_connect self.do_handshake() File "/usr/lib64/python3.7/ssl.py", line 1108, in do_handshake self._sslobj.do_handshake() ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate revoked (_ssl.c:1045) openssl s_client: $ cat /etc/pki/tls/cert.pem ssca-sha2-g5.pem.crl > combined.pem $ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem | grep Verify Verify return code: 0 (ok) $ openssl s_client -connect revoked.badssl.com:443 -servername revoked.badssl.com -CAfile combined.pem -crl_check | grep Verify Verify return code: 23 (certificate revoked) ---------- Added file: https://bugs.python.org/file47679/testcrl.py _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue34078> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
