Changes by Jesús Cea Avión j...@jcea.es:
--
nosy: +jcea
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
___
Python-bugs-list mailing list
Ned Deily added the comment:
Issue23593 opened to request Windows and OS X installer OpenSSL updates to 1.0.2
--
nosy: +ned.deily
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
Donald Stufft added the comment:
It was merged to the 2.7 branch, so it'll be released as part of 2.7.10.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
John Nagle added the comment:
Will this be applied to the Python 2.7.9 library as well?
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
Antoine Pitrou added the comment:
Benjamin, can you please add at least a comment describing why you added the
flag? We have enough obscure-looking code in _ssl.c as it is.
--
___
Python tracker rep...@bugs.python.org
Christian Heimes added the comment:
The Windows binaries of Python 2.7.9 are compiled with OpenSSL 1.0.1j. The
feature is only available in OpenSSL 1.0.2. The next version of Python must
be compiled with 1.0.2 or better. Otherwise the bug pops up again.
--
Antoine Pitrou added the comment:
Uh, the comment is already there. I don't know how I missed that. Sorry.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
Changes by Donald Stufft don...@stufft.io:
--
keywords: +needs review
resolution: not a bug -
stage: resolved - patch review
status: closed - open
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
Roundup Robot added the comment:
New changeset 7f64437a707f by Benjamin Peterson in branch '3.4':
enable X509_V_FLAG_TRUSTED_FIRST when possible (closes #23476)
https://hg.python.org/cpython/rev/7f64437a707f
New changeset 37da00170836 by Benjamin Peterson in branch '2.7':
enable
Cory Benfield added the comment:
My reading of the OpenSSL issue is that there are no negative side effects from
turning this on.
--
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
Alex Gaynor added the comment:
It looks like the existing `verify_flags` param is actually the same thing, so
we can just use it. That said, I think this should be on by default, I can't
think of a scenario you don't want it.
--
___
Python tracker
Christian Heimes added the comment:
With the patch the flag is always set. Are there any possible side effects?
IMHO it's better to add a store_flags property and make the feature optional.
--
___
Python tracker rep...@bugs.python.org
Ian Cordasco added the comment:
So it seems like
https://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=3621
includes a fix that we may be able to update Python to use (safely) by default.
If we don't then this will continue to be an issue.
Other references:
-
Donald Stufft added the comment:
There actually *is* an API that can be set that will cause OpenSSL to use the
shortest trust path it can, however it's only available in OpenSSL 1.0.2+ which
means it'll solve it for a handful of people but not the bulk of people.
--
Alex Gaynor added the comment:
I'm attaching a patch that does what Donald suggests.
--
keywords: +patch
Added file: http://bugs.python.org/file38287/store.diff
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
Antoine Pitrou added the comment:
Python's SSL isn't using that. Python is taking in one big text file
of SSL certs, with no link structure, and feeding it to OpenSSL.
Python's SSL is not taking anything:
r = urlopen('https://www.verisign.com')
r.read(10)
b' !DOCTYPE'
It's only if you
Changes by Cory Benfield c...@lukasa.co.uk:
--
nosy: +Lukasa
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
___
Python-bugs-list mailing
Changes by Antoine Pitrou pit...@free.fr:
--
resolution: - not a bug
stage: - resolved
status: open - closed
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
Antoine Pitrou added the comment:
and it is not reproducible using openssl s_client
I have determined that s_client is buggy. It will always load the system certs
*if and only if* you also pass it a valid custom CA cert (which is the reverse
of what's expected).
This is where it happens (in
Antoine Pitrou added the comment:
Ok, this is really a bug in the cert bundle provided by requests and Firefox.
With requests 2.5.1:
$ SSL_CERT_DIR=/tmp SSL_CERT_FILE=/tmp openssl s_client -CAfile
requests/cacert.pem -connect verisign.com:443
= ok
With requests 2.5.2:
$ SSL_CERT_DIR=/tmp
Christian Heimes added the comment:
John, neither Python nor OpenSSL are shipped with certificates.
Python uses certificates from operating system. We decided against our own
certificate store because we wanted to avoid exactly this kind of trouble. If
Python can't verify a certificate then
Laura Creighton added the comment:
Antione closed this, as a not python error, as
if you do not pass a valid certificate to openssl s_client
it will not read the system certificates, which is clearly
utterly surprising and nuts.
The problem, as I see it, is that fixing this clear
absurdity may
Changes by Aaron Meurer asmeu...@gmail.com:
--
nosy: +Aaron.Meurer
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
___
Python-bugs-list
Cory Benfield added the comment:
The problem specifically is that OpenSSL only uses a *root* in the trust store
as an anchor. That means any certificate that is signed by another certificate
will not terminate the chain of trust. Browsers do better here, by trusting the
entirety of the trust
John Nagle added the comment:
The fix in Ubuntu was to the Ubuntu certificate store, which is a directory
tree with one cert per file, with lots of symbolic links with names based on
hashes to express dependencies. Python's SSL isn't using that. Python is
taking in one big text file of SSL
Changes by Demian Brecht demianbre...@gmail.com:
--
nosy: +demian.brecht
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
___
___
Laura Creighton added the comment:
In https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640
it says :
FIX:
Fixed in Ubuntu 14.04 apparently.
Openssl upstream, see http://rt.openssl.org/Ticket/Display.html?id=2732
But I think the person who wrote that launchpad note was mistaken, as
Antoine Pitrou added the comment:
This may be related to a known, and fixed, OpenSSL bug.
Where do you see that the bug is fixed?
--
nosy: +pitrou
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
Laura Creighton added the comment:
I have this problem too.
Debian jessie/sid
Python 2.7.8 (default, Nov 18 2014, 14:57:17)
Python 3.4.2 (default, Nov 13 2014, 07:01:52)
--
nosy: +lac
___
Python tracker rep...@bugs.python.org
John Nagle added the comment:
Add cert file for testing. Source of this file is
http://curl.haxx.se/ca/cacert.pem
--
Added file: http://bugs.python.org/file38166/cacert.pem
___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue23476
John Nagle added the comment:
To try this with the OpenSSL command line client, use this shell command:
openssl s_client -connect www.verisign.com:443 -CAfile cacert.pem
This provides more detailed error messages than Python provides.
verify error:num=20:unable to get local issuer
New submission from John Nagle:
SSL certificate verification fails for www.verisign.com when using the cert
list from Firefox. Other sites (google.com, python.org) verify fine.
This may be related to a known, and fixed, OpenSSL bug. See:
32 matches
Mail list logo