[Python-Dev] Proposal for better SSL errors

Sat, 26 May 2012 12:33:41 -0700 

Hello,

In http://bugs.python.org/issue14837 I have attached a proof-of-concept
patch to improve the exceptions raised by the ssl module when OpenSSL
signals an error. The current situation is quite dismal, since you get
a sometimes cryptic error message with no viable opportunities for
programmatic introspection:

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> ctx.verify_mode = ssl.CERT_REQUIRED
>>> sock = socket.create_connection(("svn.python.org", 443))
>>> sock = ctx.wrap_socket(sock)
Traceback (most recent call last):
[...]
ssl.SSLError: [Errno 1] _ssl.c:420: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


SSLError instances only have a "errno" attribute which doesn't actually
contain a meaningful value.

With the posted patch, the above error becomes:

>>> ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
>>> ctx.verify_mode = ssl.CERT_REQUIRED
>>> sock = socket.create_connection(("svn.python.org", 443))
>>> sock = ctx.wrap_socket(sock)
Traceback (most recent call last):
[...]
ssl.SSLError: [Errno 5] [SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed (_ssl.c:494) [88296 refs]


Not only does the error string contain more valuable information (the
mnemonics "SSL" and "CERTIFICATE_VERIFY_FAILED" indicate, respectively,
in which subpart of OpenSSL and which precise error occurred), but they
are also introspectable:

>>> e = sys.last_value
>>> e.library
'SSL'
>>> e.reason
'CERTIFICATE_VERIFY_FAILED'

(these mnemonics correspond to OpenSSL's own #define'd numeric codes. I
find it more Pythonic to expose the mnemonics than the numbers, though.
Of course, the numbers <-> mnemnonics mappings can be separately
exposed)

You'll note there is still a "Errno 5" in that error message; I don't
really know what to do with it. Hard-wiring the errno attribute to
something like None *might* break existing software, although that
would be unlikely since the current errno value is quite meaningless
and confusing (it has nothing to do with POSIX errnos).


To clarify a bit my request, I am asking for feedback on the principle
more than on the implementation right now.

Regards

Antoine.


_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to