CERTIFICATE_VERIFY_FAILED with 2.5.2, works with 2.5.1

[rmcgibbo]

I'm having a somewhat odd issue. A get() request seems to work fine with requests-2.5.1, but after upgrading to requests 2.5.2, the same URL leads to CERTIFICATE_VERIFY_FAILED. cc @mpharrigan

$ pip install requests==2.5.1
[ ... snip, installs just fine ...]

$ python -c 'import requests; print(requests.get("http://conda.binstar.org/omnia/linux-64/fftw3f-3.3.3-1.tar.bz2"))'
<Response [200]>

$ pip install requests==2.5.2
[ ... snip, installs just fine ...]

$ python -c 'import requests; print(requests.get("http://conda.binstar.org/omnia/linux-64/fftw3f-3.3.3-1.tar.bz2"))'
Traceback (most recent call last):
  File "/Users/rmcgibbo/miniconda/envs/3.4.2/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen
    body=body, headers=headers)
  File "/Users/rmcgibbo/miniconda/envs/3.4.2/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 341, in _make_request
    self._validate_conn(conn)
  File "/Users/rmcgibbo/miniconda/envs/3.4.2/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 762, in _validate_conn
    conn.connect()
  File "/Users/rmcgibbo/miniconda/envs/3.4.2/lib/python3.4/site-packages/requests/packages/urllib3/connection.py", line 238, in connect
    ssl_version=resolved_ssl_version)
  File "/Users/rmcgibbo/miniconda/envs/3.4.2/lib/python3.4/site-packages/requests/packages/urllib3/util/ssl_.py", line 256, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/Users/rmcgibbo/miniconda/envs/3.4.2/lib/python3.4/ssl.py", line 364, in wrap_socket
    _context=self)
  File "/Users/rmcgibbo/miniconda/envs/3.4.2/lib/python3.4/ssl.py", line 578, in __init__
    self.do_handshake()
  File "/Users/rmcgibbo/miniconda/envs/3.4.2/lib/python3.4/ssl.py", line 805, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

During handling of the above exception, another exception occurred:
[... snip ...]

[rmcgibbo]

FWIW, this is with python 3.4.2 and OS X 10.10.

[sigmavirus24]

@t-8ch seems related to the urllib3 patch to disable built-in hostname verification possibly.

[rmcgibbo]

Would it be helpful for me to run a git-bisect or something?

[sigmavirus24]

Not really. The change is upstream of us. Thanks for the bug though.

[t-8ch]

@sigmavirus24 I would rather blame the new ciphersuite or cert bundle (not tested)

[Lukasa]

Could easily be the new cert bundle.

[Lukasa]

I'm assuming that you hand-typed that code @rmcgibbo? The reason I ask is because you're accessing HTTP urls there.

[Lukasa]

I cannot reproduce this on my copy of 2.5.2.

[Lukasa]

That suggests it's not the cert bundle.

[t-8ch]

@Lukasa I can now reproduce it, the URLs are right, there seems to be an redirect

[Lukasa]

So there is. I still can't reproduce though.

[t-8ch]

@Lukasa Are you running from a git checkout? It works for me there to, but not from a wheel, will try a sdist

[Lukasa]

Nope, from a wheel.

Python 2.7.9 (default, Dec 19 2014, 06:00:59) 
[GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.__version__
'2.5.2'
>>> requests.__file__
'/usr/local/lib/python2.7/site-packages/requests/__init__.pyc'
>>> r = requests.get("http://conda.binstar.org/omnia/linux-64/fftw3f-3.3.3-1.tar.bz2")
>>> r.status_code
200
>>> r.url
u'https://binstar-cio-packages-prod.s3.amazonaws.com/531fd36fe1dad154c8ea89c5/54b0d1045e76836c22735094?Signature=JRp8nPqRc6wXijqGg5JjDnIytz8%3D&Expires=1424763499&AWSAccessKeyId=ASIAIIYL6XQN5BMSPEFA&response-content-disposition=attachment%3B%20filename%3Dfftw3f-3.3.3-1.tar.bz2&response-content-type=application/x-tar&x-amz-security-token=AQoDYXdzEM///////////wEa4APi0P1wChyd8cFWFddkWZVgQYQQPAli9WBPWotWMA77n%2BqFSO92c2mb607CMadC7Jdo21sJVmtuKu4gM2vQhzX8Uy8NXWHtrBpkAgulTshstH1oFEcrkfV2wVtcxiHPrWTrEw7UTHAqDBQppLNHIHTQjs%2Bks0d/yQ//i6iCJTulVjNUWsXv%2BGre%2BMX2s%2BetTldscc2vbHsrzLG%2BvlOGrKbgUaDzLHWa7RgA6z4DxJdu0inmSPGIoV02fFonVRrwjI3qUrw50dmIFIW5SFxN9XYnDnXf1DiJ2b3vKnrj9I%2BYEY%2ByP5pHpSWvF%2BIRrmBDX6KHf4QKF5%2Bo01Y2Oeqq%2BhQncFFdEt6QBU6Eqa%2B3kb6iwdJdPAXr7HOgd5TugixLDNnKaWuF%2B1grizrD8Drz6nYhb0sgZjazDmjNSFpNXwCyYDWQNNIL7o13Sh6q2fB8sWD5oCEJu22HB4CWBxq3AC/APi86cPSZ/5RiRnv2pz%2BBB7HGNwTZveJaSfSX9ZR2pq6oZOT5kpP2aJrj4wwvE7BC0kf%2B2au4B%2BGH5uHNZvm42%2BwWophhx9NcIjdX/F9g%2B8cnkrx9nooNcB%2BVzxgXZG%2BCzPuhdFbcRFzWaqz0W/T5eJWVpmCIcKpGlIibqcwAjGAg16%2BwpwU%3D'

[Lukasa]

Potentially also relevant:

>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2 22 Jan 2015'

[t-8ch]

It seems to be the bundle.

[Lukasa]

@t-8ch What makes you say that?

[t-8ch]

It works with the old one and does not with the new one, also it works with my system bundle.
(requests and curl)

[Lukasa]

Aha, yep, can now reproduce. Don't know what I was doing differently before. =(

[Lukasa]

So the cert chain is:

 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

[Lukasa]

That Class 3 Public Primary Certification Authority - G5 certificate is in the bundle. The one Mozilla uses as its trust root when I access the page in Firefox is definitely 100% in that bundle. Serial numbers match and everything.

[Lukasa]

Weirdly though, if I pass that certificate to curl to use to validate the connection, it doesn't like it.

[Lukasa]

A warning that so far I've not been able to reproduce this in requests on either Windows or OS X, presumably because their built in cert-stores are saving the day.

[Lukasa]

Also, running openssl s_client seems to have no problems with that bundle:

ubuntu@cb2ubuntu:~/garpd$ cat /usr/local/lib/python2.7/dist-packages/requests/__init__.py | grep version
__version__ = '2.5.2'

ubuntu@cb2ubuntu:~/garpd$ openssl s_client -CApath /usr/local/lib/python2.7/dist-packages/requests/cacert.pem -connect binstar-cio-packages-prod.s3.amazonaws.com:443                                                                                                                [8/8]
CONNECTED(00000003)
depth=3 C = US, O = "VeriSign, Inc.", OU = Class 3 Public Primary Certification Authority
verify return:1
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify return:1
depth=1 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = Terms of use at https://www.verisign.com/rpa (c)10, CN = VeriSign Class 3 Secure Server CA - G3
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Amazon.com Inc., CN = *.s3.amazonaws.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
 1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFQTCCBCmgAwIBAgIQGHBX7tZDXzmvfSkeROrx7DANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwHhcNMTQwNDA5
MDAwMDAwWhcNMTUwNDA5MjM1OTU5WjBrMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxQHU2VhdHRsZTEYMBYGA1UEChQPQW1hem9uLmNv
bSBJbmMuMRswGQYDVQQDFBIqLnMzLmFtYXpvbmF3cy5jb20wggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCyIdaCeebmUg7oowAEkJOGAkE9KA7f/Kpsbexn
sD0v/W2Hbq7Kmys8LD9bs6RX4YNIr/Cx0i4gQlymmVXy/OhgrvSpl/lbmHzFXF30
UF2/L6NWkbkca2QbmolYBjYHngblx/gRQw6XGSui2Ql8q6W5IOz1EyHUZOhcr5W8
x76JtY4r5/uav+2WO9pgtGEL4aROQfE7R/399OvkUCabcTvaG9N0TMBLTdB/mWyD
GlnHSwWl67lH1HPr429iz/2cPP7l3eq1V1PNq25w5JCV2kySmq5d0XKt4cy5mMh/
Og2vcwyj31u8B4fzyGWxQAXLs10wWF9xdVNHrJwoBD9jeiWDAgMBAAGjggGUMIIB
kDAJBgNVHRMEAjAAMEMGA1UdIAQ8MDowOAYKYIZIAYb4RQEHNjAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vY3BzMEUGA1UdHwQ+MDwwOqA4
oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzMtY3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1
cmVHMy5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB8GA1UdIwQY
MBaAFA1EXBZTRMGCfh0gqyX0AWPYvnmlMHYGCCsGAQUFBwEBBGowaDAkBggrBgEF
BQcwAYYYaHR0cDovL29jc3AudmVyaXNpZ24uY29tMEAGCCsGAQUFBzAChjRodHRw
Oi8vU1ZSU2VjdXJlLUczLWFpYS52ZXJpc2lnbi5jb20vU1ZSU2VjdXJlRzMuY2Vy
MA4GA1UdDwEB/wQEAwIFoDAvBgNVHREEKDAmghIqLnMzLmFtYXpvbmF3cy5jb22C
EHMzLmFtYXpvbmF3cy5jb20wDQYJKoZIhvcNAQEFBQADggEBAD2yDlI/JHDW9LNT
rsvy1lnS8H0IT8Zc+z9Imd5zEEqBs2G1beCtM9U4o/MDEao95DWfRck3Gx428fPv
bsabSwJHtSpGLQiWi/UwnxN0p5Lz6tQVaglBqlsvm4ZGHdS94hSaYwd4nUZ+Wpo8
hhCk44lVjwD0hTqr4G08XQiS/mlOY2422zo6+ULw+YG6ocMtVTe+VsL3V7dLRYgN
wV15Z5GLL4f50hbUHQAjdFHMtDkIQTWu0l7SJB6ueQBxoBNJoHC89IZMom0Oy9WL
1UNYgBTsad76ql/K3feTPJodalB1RXbEwSgc4pAC1/rtlfoZewZvNqANMxYc7k7G
ufhUTyk=
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Amazon.com Inc./CN=*.s3.amazonaws.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 Secure Server CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 4632 bytes and written 455 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-SHA
    Session-ID: 65EDD443247002AE9E1DCBE70147AA14DF818C026DD0DC3A07575DEEEFA01895
    Session-ID-ctx:
    Master-Key: 4814563FB3450B10F25DB657DC158FFF4CE9B1601057F3CB552BC5B881D40FD2FA97F8B8A0BCB86B6E1D830C3D647299
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1424769860
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

[Lukasa]

But cert verification definitely fails with requests. So that's perplexing.

[t-8ch]

At least we get the same leaf cert with s_client and requests.

[Lukasa]

@t-8ch To verify: does your bundle succeed with s_client?

[t-8ch]

Now I am really confused:

[t-8ch]

Installed from wheel:

py2 + 2.5.1: works
py3.3 + 2.5.1: works
py3.4 + 2.5.1: works

py2 + 2.5.2: breaks
py3.3 + 2.5.2: breaks
py3.4 + 2.5.2: breaks

Git checkout:

py2 + 2.5.1: works
py3 + 2.5.1: works

py2 + 2.5.2: breaks
py3.3 + 2.5.2: breaks
py3.4 + 2.5.2: works

[t-8ch]

All on linux with 3.4.2 and 2.7.9

[Lukasa]

@asmeurer I wasn't clear enough: I think we should write such a tool.

[Glandos]

Hi, sorry to add my experience, even if I can't take the time to read all of this.
I'm currently using pip and requests on SLES11SP3, and installing packages (or fetching the homepage of PyPI) fails unless I removed the last certificate in the cacert.pem

Yes.

It sounds amazing, but for me, it worked, and I really don't have a clue why. For information, here is the last certificate in the cacert.pem:

    # Issuer: CN=TWCA Global Root CA O=TAIWAN-CA OU=Root CA
    # Subject: CN=TWCA Global Root CA O=TAIWAN-CA OU=Root CA
    # Label: "TWCA Global Root CA"
    # Serial: 3262
    # MD5 Fingerprint: f9:03:7e:cf:e6:9e:3c:73:7a:2a:90:07:69:ff:2b:96
    # SHA1 Fingerprint: 9c:bb:48:53:f6:a4:f6:d3:52:a4:e8:32:52:55:60:13:f5:ad:af:65
    # SHA256 Fingerprint: 59:76:90:07:f7:68:5d:0f:cd:50:87:2f:9f:95:d5:75:5a:5b:2b:45:7d:81:f3:69:2b:61:0a:98:67:2f:0e:1b
    -----BEGIN CERTIFICATE-----
    MIIFQTCCAymgAwIBAgICDL4wDQYJKoZIhvcNAQELBQAwUTELMAkGA1UEBhMCVFcx
    EjAQBgNVBAoTCVRBSVdBTi1DQTEQMA4GA1UECxMHUm9vdCBDQTEcMBoGA1UEAxMT
    VFdDQSBHbG9iYWwgUm9vdCBDQTAeFw0xMjA2MjcwNjI4MzNaFw0zMDEyMzExNTU5
    NTlaMFExCzAJBgNVBAYTAlRXMRIwEAYDVQQKEwlUQUlXQU4tQ0ExEDAOBgNVBAsT
    B1Jvb3QgQ0ExHDAaBgNVBAMTE1RXQ0EgR2xvYmFsIFJvb3QgQ0EwggIiMA0GCSqG
    SIb3DQEBAQUAA4ICDwAwggIKAoICAQCwBdvI64zEbooh745NnHEKH1Jw7W2CnJfF
    10xORUnLQEK1EjRsGcJ0pDFfhQKX7EMzClPSnIyOt7h52yvVavKOZsTuKwEHktSz
    0ALfUPZVr2YOy+BHYC8rMjk1Ujoog/h7FsYYuGLWRyWRzvAZEk2tY/XTP3VfKfCh
    MBwqoJimFb3u/Rk28OKRQ4/6ytYQJ0lM793B8YVwm8rqqFpD/G2Gb3PpN0Wp8DbH
    zIh1HrtsBv+baz4X7GGqcXzGHaL3SekVtTzWoWH1EfcFbx39Eb7QMAfCKbAJTibc
    46KokWofwpFFiFzlmLhxpRUZyXx1EcxwdE8tmx2RRP1WKKD+u4ZqyPpcC1jcxkt2
    yKsi2XMPpfRaAok/T54igu6idFMqPVMnaR1sjjIsZAAmY2E2TqNGtz99sy2sbZCi
    laLOz9qC5wc0GZbpuCGqKX6mOL6OKUohZnkfs8O1CWfe1tQHRvMq2uYiN2DLgbYP
    oA/pyJV/v1WRBXrPPRXAb94JlAGD1zQbzECl8LibZ9WYkTunhHiVJqRaCPgrdLQA
    BDzfuBSO6N+pjWxnkjMdwLfS7JLIvgm/LCkFbwJrnu+8vyq8W8BQj0FwcYeyTbcE
    qYSjMq+u7msXi7Kx/mzhkIyIqJdIzshNy/MGz19qCkKxHh53L46g5pIOBvwFItIm
    4TFRfTLcDwIDAQABoyMwITAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB
    /zANBgkqhkiG9w0BAQsFAAOCAgEAXzSBdu+WHdXltdkCY4QWwa6gcFGn90xHNcgL
    1yg9iXHZqjNB6hQbbCEAwGxCGX6faVsgQt+i0trEfJdLjbDorMjupWkEmQqSpqsn
    LhpNgb+E1HAerUf+/UqdM+DyucRFCCEK2mlpc3INvjT+lIutwx4116KD7+U4x6WF
    H6vPNOw/KP4M8VeGTslV9xzU2KV9Bnpv1d8Q34FOIWWxtuEXeZVFBs5fzNxGiWNo
    RI2T9GRwoD2dKAXDOXC4Ynsg/eTb6QihuJ49CcdP+yz4k3ZB3lLg4VfSnQO8d57+
    nile98FRYB/e2guyLXW3Q0iT5/Z5xoRdgFlglPx4mI88k1HtQJAH32RjJMtOcQWh
    15QaiDLxInQirqWm2BJpTGCjAu4r7NRjkgtevi92a6O2JryPA9gK8kxkRr05YuWW
    6zRjESjMlfGt7+/cgFhI6Uu46mWs6fyAtbXIRfmswZ/ZuepiiI7E8UuDEq3mi4TW
    nsLrgxifarsbJGAzcMzs9zLzXNl5fe+epP7JI8Mk7hWSsT2RTyaGvWZzJBPqpK5j
    wa19hAM8EHiGG3njxPPyBJUgriOCxLM6AGK/5jYk4Ve6xx6QddVfP5VhK8E7zeWz
    aGHQRiapIVJpLesux+t3zqY6tQMzT3bR51xUAV3LePTJDL/PEo4XLSNolOer/qmy
    KwbQBM0=
    -----END CERTIFICATE-----

[sigmavirus24]

@Glandos I'm not certain the issue you're having is the same as is being discussed here.

[sigmavirus24]

On a related note, I think we should change the issue title.

[Glandos]

OK I've opened a new issue then, in #2541.

[Lukasa]

Ok, this is utterly craptastic.

I'd hoped to be able to programmatically find the cross-signed roots by examining the bundles, but in practice that doesn't work. I think I'll need to do this by hand: emit the certs that were removed and those that were added, and look for those that are plausibly cross-signing related. This sucks pretty hard.

[Lukasa]

/cc @kennethreitz: this is the issue that tracks the work we need to do for certifi, btw.

[Lukasa]

Alright, fuck that. Here's my new plan.

The following are the Mozilla issues that track the removal of 1024 bit certs that I could find:

• 856718
• 881553
• 936105
• 936304
• 986005
• 986014
• 986019
• 1155279

I plan to identify every certificate that was removed by these purges and check whether any of them are in the current requests cert bundle. If they are, I plan to restore them to the new certifi bundle.

Does anyone think this plan is bad? @reaperhulk @dstufft @alex @sigmavirus24

[dstufft]

What's the long term plan for getting rid of them? Certainly that plan is better than just not updating the bundle, but those certificates were removed for reason. With them no longer in the Mozilla bundle, Mozilla is no longer going to be monitoring those certificates for bad-ness so it feels like, in the long term, keeping them around is a bad scene.

[Lukasa]

My plan is as follows:

1. Ship a certifi that includes the new certs and the old.
2. (A month or two away) Ship a certifi that has two bundles: only the new, and then one containing the new and the old. Use the new by default, but have programmatic fallback to the old.
3. (Several months after) Remove the fallback to the old.

Thoughts?

[Lukasa]

(Oh, btw, requests will probably stay on step 1 of that plan until step 3 lands in certifi).

[Lukasa]

Ok, in practice 881553 appears to contain the full list. Applying that list to the old cacerts.pem from requests found 14 certificates currently in the bundle that are not in what mkcert.org produces. They are shown here.

I believe re-adding these certificates will fix our problem.

[Lukasa]

(Oh, /cc @t-8ch as well).

[dstufft]

That plan sounds reasonable to me then, as long as we have a plan for it and we're not just adding the certificates back and YOLO.

[Lukasa]

I plan to solidify those fuzzy 'month or so' measurements into definite dates, before we release.

[Lukasa]

Alright, the 'fixed' (s/fixed/ruined/) bundle is at certifi/python-certifi#20. I don't want to merge it yet, but it would be good if people would play about with it.

[Lukasa]

Can everyone affected in this thread please download the latest certifi bundle and confirm that it works/does not work with your particular problem website? Absent any feedback from you, that bundle will go into the next minor release of requests after 2.7.0, so it's in your best interests to confirm that the bundle functions appropriately for you.

[asmeurer]

What's the best way to do that? If I install certifi will requests use that instead of its built-in bundle?

[Lukasa]

Yes it will.

On 4 May 2015, at 19:57, Aaron Meurer notifications@github.com wrote:

What's the best way to do that? If I install certifi will requests use that instead of its built-in bundle?

—
Reply to this email directly or view it on GitHub.

[asmeurer]

OK, I cloned the master of python-certifi and used PYTHONPATH=. in that directory and the conda/binstar channels still seem to work (so does the OP of this thread).

[Lukasa]

This actual bug is fixed, so we don't need to keep this issue open. The longer term plan can be dealt with elsewhere.

[pendor]

For what it's worth, I was getting this intermittently on one of two hosts. Difference was OpenSSL version. OpenSSL v1.0.1m failed intermittently. Upgrading to v1.0.2e (and recompiling Python v3.4.3 (this is Gentoo, we compile EVERYTHING!)) made the problem go away.