Python 2.7.9, Windows 7 x64. (also 3.4.2 on Win7, and 3.4.0 on Ubuntu 14.04)
There's something about the SSL cert for "https://www.verisign.com"; that won't verify properly from Python. The current code looks like this: def testurlopen(host, certfile) : port = httplib.HTTPS_PORT sk = socket.socket(socket.AF_INET, socket.SOCK_STREAM) context = ssl.create_default_context(cafile=certfile) sock = context.wrap_socket(sk, server_hostname=host) try: sock.connect((host,port)) except EnvironmentError as message : print("Connection to \"%s\" failed: %s." % (host, message)) return False print("Connection to \"%s\" succeeded." % (host,)) return True Works for "python.org", "google.com", etc. I can connect to and dump the server's certificate for those sites. But for "verisign.com" and "www.verisign.com", I get Connection to "verisign.com" failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581). The certificate file, "cacert.pem", comes from Mozila's list of approved certificates, obtained from here: http://curl.haxx.se/ca/cacert.pem It has the cert for "VeriSign Class 3 Public Primary Certification Authority - G5" which is the root cert for "verisign.com". After loading that cert file into an SSL context, I can dump the context from Python with context.get_ca_certs() and get this dict for that cert: Cert: {'notBefore': u'Nov 8 00:00:00 2006 GMT', 'serialNumber': u'18DAD19E267DE8BB4A2158CDCC6B3B4A', 'notAfter': 'Jul 16 23:59:59 2036 GMT', 'version': 3L, 'subject': ((('countryName', u'US'),), (('organizationName', u'VeriSign, Inc.'),), (('organizationalUnitName', u'VeriSign Trust Network'),), (('organizationalUnitName', u'(c) 2006 VeriSign, Inc. - For authorized use only'),), (('commonName', u'VeriSign Class 3 Public Primary Certification Authority - G5'),)), 'issuer': ((('countryName', u'US '),), (('organizationName', u'VeriSign, Inc.'),), (('organizationalUnitName', u'VeriSign Trust Network'),), (('organizationalUnitName', u'(c) 2006 VeriSign, Inc. - For authorized use only'),), (('commonName', u'VeriSign Class 3 Public Primary Certification Authority - G5'),))} Firefox is happy with that cert. The serial number of the root cert matches the root cert Firefox displays. So the root cert file being used has the right cert for the cert chain back from "www.verisign.com". If I dump ssl.OPENSSL_VERSION from Python, I get "OpenSSL 1.0.1j 15 Oct 2014". That's an OK version. Something about that cert is unacceptable to the Python SSL module, but what? "CERTIFICATE VERIFY FAILED" doesn't tell me enough to diagnose the problem. John Nagle -- https://mail.python.org/mailman/listinfo/python-list
