-
-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"tlsv1 alert unknown ca" for builtin SSL #1509
Comments
It looks @jaraco what's your opinion? |
I'm not sure when I'll get the time to look at this. Feel free to devise a solution and we can evaluate it or roll it out for comment.
|
Similar/duplicate: #1155 |
@webknjaz indeed, seems the problem is deeper.. |
@Safihre so did you find a cure? |
And probably doesn't fix the problem in #1155. |
Turns out Safari on macOS also throws this error, but during the handshake when self-signed certificates are used:
Requires another catch of the exception: |
@Safihre is this still happening with the newest Cheroot? (master) |
Well, yes and no. We are back to this one: 2019-06-23 11:45:27,812::WARNING::[_cplogging:216] [23/Jun/2019:11:45:27] ENGINE socket.error 1
Traceback (most recent call last):
File "C:\Users\Saf\Documents\GitHub\tests\py3\lib\site-packages\cheroot\server.py", line 1263, in communicate
req.parse_request()
File "C:\Users\Saf\Documents\GitHub\tests\py3\lib\site-packages\cheroot\server.py", line 719, in parse_request
success = self.read_request_line()
File "C:\Users\Saf\Documents\GitHub\tests\py3\lib\site-packages\cheroot\server.py", line 760, in read_request_line
request_line = self.rfile.readline()
File "C:\Users\Saf\Documents\GitHub\tests\py3\lib\site-packages\cheroot\server.py", line 302, in readline
data = self.rfile.readline(256)
File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\_pyio.py", line 513, in readline
b = self.read(nreadahead())
File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\_pyio.py", line 492, in nreadahead
readahead = self.peek(1)
File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\_pyio.py", line 1076, in peek
return self._peek_unlocked(size)
File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\_pyio.py", line 1083, in _peek_unlocked
current = self.raw.read(to_read)
File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\socket.py", line 589, in readinto
return self._sock.recv_into(b)
File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\ssl.py", line 1052, in recv_into
return self.read(nbytes, buffer)
File "C:\Users\Saf\AppData\Local\Programs\Python\Python37\Lib\ssl.py", line 911, in read
return self._sslobj.read(len, buffer)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:2488) |
@Safihre even with the latest urllib3? |
This is when I connect using Chrome and Firefox with a self-signed certificate on the server. |
Seems like another one to add to the |
@Safihre not exactly. According to the traceback you posted this exception happens on the later stage (after the TLS handshake), so changing this variable won't change anything. I assume your example uses TLS 1.3 which allows a post-handshake certificate validation. One of the instances of this problem is described @ urllib3/urllib3#1537. I think you can check this by disabling P.S. A while back I've discovered this wonderful library http://trustme.readthedocs.io/ which allows you to test things without manually generating self-signed certificates which is closed to what you have IRL. You can use that and try modifying Ref: https://tools.ietf.org/html/rfc8446#section-4.2.6 / https://tools.ietf.org/html/rfc8446#section-4.6.2 Based on this, I think we can close this issue and create another one under Cheroot to address specifically the TLS 1.3 post-handshake auth case. |
Agreed, sounds good! 👍 |
As described in #1497, there is still 1 bug left when using
server.ssl_module: 'builtin'
.When Firefox connects for the first time to a server that has a self-signed certificate, FF will show the unsafe-server page, but on the server this happens (using unmodified CherryPy 8.1.0):
This happens on both Python 2.7 and 3.5 on Win10 and Ubuntu.
I created a patch (link) for to catch this error, which will work on Python 2.7, but not on Python 3.5 since it doesn't use the
CP_makefile_PY2
.Maybe you know a better solution which will also work on Python 3?
Maybe wrap the
self._sock.recv(size)
function for the builtin SSL module to catch such errors?The text was updated successfully, but these errors were encountered: