[issue27970] ssl: can't verify a trusted site with imcomplete certificate chain

Change by Greg Lindahl : -- nosy: +wumpus ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python

[issue27970] ssl: can't verify a trusted site with imcomplete certificate chain

lilydjwg added the comment: I understand now, thank you! It's much easier to work around such issues than fix other people's sites. -- ___ Python tracker ___

[issue27970] ssl: can't verify a trusted site with imcomplete certificate chain

Christian Heimes added the comment: >From https://www.ssllabs.com/ssltest/analyze.html?d=miaosss.top Chain issuesIncomplete Extra download COMODO RSA Domain Validation Secure Server CA Python does not support extra downloads of incomplete chains. The server must return the EE cert and al

[issue27970] ssl: can't verify a trusted site with imcomplete certificate chain

lilydjwg added the comment: Please read my code. I've provided the CA certificate; this should work because I've downloaded the certificate manually and feed it to Python. openssl command line tool works. gnutls-cli works too. wget (with openssl) works too. curl (with openssl) fails like Pytho

[issue27970] ssl: can't verify a trusted site with imcomplete certificate chain

Christian Heimes added the comment: Yes, that is to be expected. Python does not use AIA to fetch missing certs. The server must return all intermediate certs. Browsers have workarounds and local caches, Python doesn't. Other tools like curl behave the same. -- nosy: +christian.heimes

[issue27970] ssl: can't verify a trusted site with imcomplete certificate chain

New submission from lilydjwg: This fails: Python 3.5.2 (default, Jun 28 2016, 08:46:01) [GCC 6.1.1 20160602] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import ssl >>> import socket >>> s = socket.socket() >>> c = >>> ssl.create_default_context(cafile='CO