STINNER Victor added the comment:
Script to reproduce the issue:
---
import ssl
pem = ssl.get_server_certificate(('svn.python.org', 443),
ca_certs="Lib/test/https_svn_python_org_root.pem")
print("PEM: %r" % pem)
---
It looks the handshake fails if like with PROTOCOL_SSLv3 which is the default
protocol, but works with PROTOCOL_SSLv23.
_create_stdlib_context(), SSLContext and wrap_socket use PROTOCOL_SSLv23 which
is said to be the "the most compatibility with other versions" protocol. Why
get_server_certificate() uses PROTOCOL_SSLv3?
get_server_certificate() was added in 2007 by changeset 9041965a92f2 and it
uses PROTOCOL_SSLv3 since this version.
"openssl s_client" says that the server speaks TLSv1.2 which is the most recent
TLS version and probably the most secure. Is it possible somehow to try
TLSv1.2, and then fallback to other versions if the latest version is not
supported?
For the initial issue, it looks like a change at server side (svn.python.org),
I don't think that ssl module, the unit test or the certificate of the
authority changed recently. The python.org website has been changed recently.
----------
nosy: +christian.heimes
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue20896>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
