-
-
Notifications
You must be signed in to change notification settings - Fork 29.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl.create_default_context() throws: "ssl.SSLError: [X509] unknown error (_ssl.c:4035)" #108721
Comments
Cc. @pablogsal @Yhg1s |
The fact that 3.11.5 now raises an exception is not necessarily a bug. 77e0919 fixed a bug of not raising when appropriate. The claim is that the fix also raises when it should not. |
Indeed, thank you for the addition. As far as I can see there is nothing wrong with the certificates and if only one is present everything works as expected. Something seems to be handled differently by OpenSSL when two (or more) of these certificates are present (which may have been always the case) and that is now caught. |
Something has to be wrong with these certificates because the new code path is only triggered when there is an error and the error is that the cert could not be verified:
Unfortunately I am awaiting surgery in my hand this week and I cannot take a look at this. @ambv could you take a look if you have sone time? In particular is unclear to me how this code is causing the problem when the code only triggers when OpenSSL tells us that there is an error and that the reason is a failure to verify a certificate. |
Initially I thought there must be something wrong with the certificates as well. I have to admit I don't know everything about X509 certificates but I cannot find an error. The only thing I noticed is: they are created within a couple of minutes of each other and the error only occurs when BOTH certificates are present. Individually, when only one is present (doesn't matter which one) everything is working fine. |
The last comment from @pablogsal made me think and re-test things. Please ignore my comment about commit 77e0919, the issue is NOT caused by that commit. I'm sorry, my apologies, I didn't doublecheck everything properly. These are working as expected (do not have this issue): So the latest (pre-release) versions do not have this issue at the moment. Commit 6193f78 is still okay:
The next commit 263d8aa after commit 6193f78 is the first with the issue:
So... I was wrong, in hindsight commit 263d8aa seems to introduce this issue. |
Did some further investigation and when I apply the changes from gh-100372 (manually) to So... the fix for this issue seems to be gh-100372 which is in @pablogsal: my apologies if this is a stupid question, but... what is the proper procedure to get gh-100372 into 3.11 as well? |
You should request a backport in the PR (I don't have the context for that PR but I think @Yhg1s would know if it makes sense to backport) |
Bug report
Checklist
and am confident this bug has not been reported before
CPython versions tested on:
3.11
Operating systems tested on:
Windows
Output from running 'python -VV' on the command line:
Python 3.11.5 (tags/v3.11.5:cce6ba9, Aug 24 2023, 14:38:34) [MSC v.1936 64 bit (AMD64)]
A clear and concise description of the bug:
In one of my systems, this triggers an exception in Python 3.11.5 and works fine in Python 3.11.4:
The exception is:
The cause is a couple of TFS certificates in the Windows "CA" store:
![image](https://private-user-images.githubusercontent.com/9745514/264658929-ad4fcdb9-cc95-4d6e-b627-2dc8c5288b2a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjAyMTU3MTAsIm5iZiI6MTcyMDIxNTQxMCwicGF0aCI6Ii85NzQ1NTE0LzI2NDY1ODkyOS1hZDRmY2RiOS1jYzk1LTRkNmUtYjYyNy0yZGM4YzUyODhiMmEucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI0MDcwNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNDA3MDVUMjEzNjUwWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9MzEzMjNmMmNkOWE2MjcxY2VkZDUxZDIzYWZkMWI2ZjFjZGQyYTFkYTU2MGZkMjU5ZjMzZTJiMTRkMTJjOGQ4YyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QmYWN0b3JfaWQ9MCZrZXlfaWQ9MCZyZXBvX2lkPTAifQ.pVUiAGYMSnyRYOXKfi_x5rGAAaDbtcwgUujiwlFYvi8)
If I remove one of these certificates (doesn't matter which one, I have tested both by removing, reimporting, etc.), the issue goes away.
It looks like commit 77e0919 is causing the issue. I have created a custom build of
main
with lines 670-673 ofModules/_ssl.c
commented:When using this custom build (and the two certificates in the store), the issue does not occur.
Attached you'll find a zip with the two certificates (in case anyone is wondering, they are from a sandbox which is no longer in use) and a more elaborate example which finds out which certificates cause an issue by testing them one at a time (originally I had three certificates).
TFS_certs.zip
The text was updated successfully, but these errors were encountered: