Re: [python-tulip] TLS handshake exception. Bug/Comments/HeartBleed?
Honestly, I do expect some misconfiguration on my side but I couldn't track it down to the source. So I want to make sure I'm the only one with such a problem. The machine is an up to date Debian Sid with all fresh updates. sources.list: deb http://ftp.debian.org/debian unstable main contrib non-free It has a typical installation with no customizations on Python, OpenSsl, ca-certificates, etc. ca-certificates is especially up-to-date. A site example: www.linkedin.com:443 Can connect static.licdn.com:443 Can not connect Regards, Imran
Re: [python-tulip] TLS handshake exception. Bug/Comments/HeartBleed?
On May 6, 2014, at 6:07 AM, Imran Geriskovan imran.gerisko...@gmail.com wrote: Honestly, I do expect some misconfiguration on my side but I couldn't track it down to the source. So I want to make sure I'm the only one with such a problem. The machine is an up to date Debian Sid with all fresh updates. sources.list: deb http://ftp.debian.org/debian unstable main contrib non-free It has a typical installation with no customizations on Python, OpenSsl, ca-certificates, etc. ca-certificates is especially up-to-date. A site example: www.linkedin.com:443 Can connect static.licdn.com:443 Can not connect You can narrow down the problem by doing something like this: echo | openssl s_client -CApath /etc/ssl/certs/ -connect static.licdn.com:443 | grep 'Verify return code' Both verify OK for me here on Ubuntu 14.04 and OS X 10.9. If that says the same thing as asyncio, (ok for linkedin.com, not ok for licdn.com) then perhaps the issue is with your network. Good luck, -glyph
Re: [python-tulip] TLS handshake exception. Bug/Comments/HeartBleed?
Thank you. Results for echo | openssl s_client -CApath /etc/ssl/certs/ -connect static.licdn.com:443 | grep 'Verify return code': www.linkedin.com:443 OK static.licdn.com:443: Verify return code: 20 (unable to get local issuer certificate)! That's parallel to what asyncio also says. Interestingly Firefox (Iceweasel) does not complain when opening https://static.licdn.com with its usual This Connection is Untrusted page. Is it a A MITM setup which is detected by openssl/asyncio but not Firefox? Some other sites: mail.google.com:443 OK for now. But was NOK for a while. www.reddit.com:443 NOK. Firefox complains too. Though it says Cert is valid for *.akamaihd.net , *.akamaihd-staging.net , a248.e.akamai.net. Optimistic possibility may be a misconfigured CDN network + wave of certificate renewals.. Imran
Re: [python-tulip] TLS handshake exception. Bug/Comments/HeartBleed?
2014-05-07 0:55 GMT+02:00 Imran Geriskovan imran.gerisko...@gmail.com: Interestingly Firefox (Iceweasel) does not complain when opening https://static.licdn.com with its usual This Connection is Untrusted page. Is it a A MITM setup which is detected by openssl/asyncio but not Firefox? I'm not sure that Firefox uses the same list of CA than asyncio. Firefox may trust more CA. Victor
Re: [python-tulip] TLS handshake exception. Bug/Comments/HeartBleed?
On May 6, 2014, at 4:47 PM, Victor Stinner victor.stin...@gmail.com wrote: 2014-05-07 0:55 GMT+02:00 Imran Geriskovan imran.gerisko...@gmail.com: Interestingly Firefox (Iceweasel) does not complain when opening https://static.licdn.com with its usual This Connection is Untrusted page. Is it a A MITM setup which is detected by openssl/asyncio but not Firefox? I'm not sure that Firefox uses the same list of CA than asyncio. Firefox may trust more CA. Trusting more or fewer CAs isn't the issue; it's just a different source. asyncio is getting its list of CAs from OpenSSL's default verify locations, which means (on Debian) /etc/ssl/certs. Firefox has its own separate trust store which can be different. They're basically supposed to be the same - just look at the description of the package on https://launchpad.net/ca-certificates: certificate authorities used by the Debian infrastructure and those shipped with Mozilla's browsers. For what it's worth, static.licdn.com has really bad security; you should count your blessings that you can't connect to it :). https://www.ssllabs.com/ssltest/analyze.html?d=static.licdn.com. Maybe your OpenSSL is mad about one of those things? At any rate, if other OpenSSL programs on the same computer are having the same results, this isn't an asyncio issue per se, and you should probably find an OpenSSL or Debian mailing list to ask :-). Good luck, -glyph
