2

We have this local site which has recently just updated its certificate. I saved the certificates in a certs.pem file and tried to connect it with some tools. Below operations are done on a Ubuntu 14.10 box.

When I run:

openssl s_client -connect mylocalsite:8080 -verify 9 -CAfile certs.pem

I get Verify return code: 0 (ok), then I run:

wget https://mylocalsite:8080 --ca-certificate=certs.pem

I get:

--2016-06-15 01:53:00-- https://mylocalsite:8080/ Resolving mylocalsite (mylocalsite)... 10.41.13.26 Connecting to mylocalsite (mylocalsite)|10.41.13.26|:8080... connected.

So the certificate seems to work OK, then I use requests 2.10.0 with python 3.4.3 on the same box:

import requests
requests.get('https://mylocalsite:8080', verify='/path/to/certs.pem')

I get 

requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

I'm completely new to SSL related things. What could possibly go wrong here?

Thanks!

Wang Dingwei
  • 4,661
  • 6
  • 32
  • 43
  • Could be related to this http://stackoverflow.com/questions/34085552/sslerror-bad-handshake-python-requests – dmitryro Jun 15 '16 at 09:19

1 Answers1

1

Looks like openssl s_client -connect is happy with "only" having the correct certificate but you need to pass the whole chain to requests' verify parameter (though both are using the same library under the hood, of course).

SSL support in requests needs some serious revamp (and it's being worked on AFAIK)

luv
  • 432
  • 4
  • 6