[issue36137] SSL verification fails for some sites inside windows docker container

2019-02-27 Thread Mika Fischer 


New submission from Mika Fischer :

Inside a windows docker container, SSL verification fails for some but not all 
hosts. 

See this issue over in the docker repo:
https://github.com/docker-library/python/issues/359

Maybe you guys could shed some light on what could be the possible.

To reproduce, install Docker for Windows and then:

This works:
```
docker run -ti python:3.7-windowsservercore-1809 python -c "import 
urllib.request as r; r.urlopen('https://bootstrap.pypa.io').close()"
```

This doesn't
```
docker run -ti python:3.7-windowsservercore-1809 python -c "import 
urllib.request as r; r.urlopen('https://google.com').close()"
Traceback (most recent call last):
  File "C:\Python\lib\urllib\request.py", line 1317, in do_open
encode_chunked=req.has_header('Transfer-encoding'))
  File "C:\Python\lib\http\client.py", line 1229, in request
self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Python\lib\http\client.py", line 1275, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Python\lib\http\client.py", line 1224, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Python\lib\http\client.py", line 1016, in _send_output
self.send(msg)
  File "C:\Python\lib\http\client.py", line 956, in send
self.connect()
  File "C:\Python\lib\http\client.py", line 1392, in connect
server_hostname=server_hostname)
  File "C:\Python\lib\ssl.py", line 412, in wrap_socket
session=session
  File "C:\Python\lib\ssl.py", line 853, in _create
self.do_handshake()
  File "C:\Python\lib\ssl.py", line 1117, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: unable to get local issuer certificate (_ssl.c:1056)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "", line 1, in 
  File "C:\Python\lib\urllib\request.py", line 222, in urlopen
return opener.open(url, data, timeout)
  File "C:\Python\lib\urllib\request.py", line 525, in open
response = self._open(req, data)
  File "C:\Python\lib\urllib\request.py", line 543, in _open
'_open', req)
  File "C:\Python\lib\urllib\request.py", line 503, in _call_chain
result = func(*args)
  File "C:\Python\lib\urllib\request.py", line 1360, in https_open
context=self._context, check_hostname=self._check_hostname)
  File "C:\Python\lib\urllib\request.py", line 1319, in do_open
raise URLError(err)
urllib.error.URLError: 
```

--
assignee: christian.heimes
components: SSL
messages: 336761
nosy: Mika Fischer, christian.heimes
priority: normal
severity: normal
status: open
title: SSL verification fails for some sites inside windows docker container
type: behavior
versions: Python 3.6, Python 3.7, Python 3.8

___
Python tracker 
<https://bugs.python.org/issue36137>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36137] SSL verification fails for some sites inside windows docker container

2019-02-27 Thread Mika Fischer 


Mika Fischer  added the comment:

Sorry if I wasn't completely clear. This issue occurs only on Windows and only 
when running python inside a windows docker container.

The question is what is python using on Windows to verify SSL certificates and 
what might be different inside the container that might let that process fail 
for some hosts and not for others...

--

___
Python tracker 
<https://bugs.python.org/issue36137>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36137] SSL verification fails for some sites inside windows docker container

2019-02-27 Thread Mika Fischer 


Mika Fischer  added the comment:

> This is probably a duplicate of #36137.

I think you mixed up the issue number, #36137 is this issue.

> Windows doesn't have CA certs pre-installed. They are downloaded from the 
> update server on demand. Python doesn't trigger the update but only uses 
> certs that are already present. It's a design flaw in my implementation. I 
> wasn't aware of Windows' behavior when I hooked up the Windows cert store to 
> the SSL module.

Oh, so that means that it is broken on normal Windows as well and only works 
coincidentally?

In any case, I can confirm that when the certificate is fetched using some 
other means, the request works:
```
docker run -ti python:3.7-windowsservercore-1809 powershell -command 
"(New-Object System.Net.WebClient).DownloadString(\"https://google.com\";) 
>$null; python -c \"import urllib.request as r; 
r.urlopen('https://google.com').close()\""
```

--

___
Python tracker 
<https://bugs.python.org/issue36137>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue36137] SSL verification fails for some sites inside windows docker container

2019-02-27 Thread Mika Fischer 


Mika Fischer  added the comment:

The easiest workaround I found (on Windows 10) is to use
```
certutil -generateSSTFromWU roots.sst && certutil -addstore -f root roots.sst 
&& del roots.sst
```
before using Python...

--

___
Python tracker 
<https://bugs.python.org/issue36137>
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com