First of all, I am not a direct user of the OpenSSL library, but I am using it via Python 2.7 built-in module ssl, which in turn uses OpenSSL. Since my problem is SSL specific, I thought people here would be more apt to help me.
I have an web server and I need to make a HTTPS request to the external server graph.facebook.com. It is plain in the Pyhton urllib2 module documentation that, while it will happily establish an HTTPS connection, it will not verify the server's certificate. So I was trying to use the ssl module to get the servers certificate verified. The problem is that the verification fails, and I have no clue of why. My browser is able to verify the server's certificate using the same root CA I provided to the ssl module, just type in "https://graph.facebook.com/me";. This small code shows the problem: import socket, ssl s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) ssl_sock = ssl.wrap_socket(s, ca_certs="DigiCertHighAssuranceEVRootCA.crt", cert_reqs=ssl.CERT_REQUIRED) ssl_sock.connect(('graph.facebook.com', 443)) Traceback (most recent call last): File "ssl_test.py", line 4, in <module> ssl_sock.connect(('graph.facebook.com', 443)) File "/usr/lib/python2.7/ssl.py", line 299, in connect self.do_handshake() File "/usr/lib/python2.7/ssl.py", line 283, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [Errno 1] _ssl.c:499: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed If I try the same code against 'ev-root.digicert.com', which is the DigiCert test address for this certificate, it works and the host is correctly verified. So, do you have any clue on why the verification of this specific host fails even if I have the correct root CA? Any suggestions on how can I get more details on the problem? -- Lucas Clemente Vella lve...@gmail.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
