[issue23476] SSL cert verify fail for "www.verisign.com"

Tue, 17 Feb 2015 17:07:45 -0800 

New submission from John Nagle:

SSL certificate verification fails for "www.verisign.com" when using the cert 
list from Firefox. Other sites ("google.com", "python.org") verify fine. 

This may be related to a known, and fixed, OpenSSL bug. See:

http://rt.openssl.org/Ticket/Display.html?id=2732&user=guest&pass=guest
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1014640 

Some versions of OpenSSL are known to be broken for cases where there multiple 
valid certificate trees.  This happens when one root cert is being phased out 
in favor of another, and cross-signing is involved.

Python ships with its own copy of OpenSSL on Windows.  Tests
for "www.verisign.com"

Win7, x64:

   Python 2.7.9 with OpenSSL 1.0.1j 15 Oct 2014. FAIL
   Python 3.4.2 with OpenSSL 1.0.1i 6 Aug 2014.  FAIL
   openssl s_client -OpenSSL 1.0.1h 5 Jun 2014   FAIL

Ubuntu 14.04 LTS, x64, using distro's versions of Python:

   Python 2.7.6 - test won't run, needs create_default_context
   Python 3.4.0 with OpenSSL 1.0.1f 6 Jan 2014.  FAIL
   openssl s_client  OpenSSL 1.0.1f 6 Jan 2014   PASS

That's with the same cert file in all cases. The OpenSSL version for Python 
programs comes from ssl.OPENSSL_VERSION. 

The Linux situation has me puzzled.  On Linux, Python is supposedly using the 
system version of OpenSSL. The versions match.  Why do Python and the OpenSSL 
command line client disagree?  Different options passed to OpenSSL by Python?

A simple test program and cert file are attached.  Please try this in your 
environment.

----------
components: Library (Lib)
files: ssltest.py
messages: 236158
nosy: nagle
priority: normal
severity: normal
status: open
title: SSL cert verify fail for "www.verisign.com"
versions: Python 2.7, Python 3.4
Added file: http://bugs.python.org/file38165/ssltest.py

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue23476>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to