-
-
Notifications
You must be signed in to change notification settings - Fork 30.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl socket with certificate verification fails on SHA256 digest algorithm #52730
Comments
When trying a secure connection to an HTTPS server with server certificate verification, I get very strange behaviour when the digest used in the signing certificate is SHA-256 (+RSA). ssl.SSLError: [Errno 1] _ssl.c:480: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm When I tried to reproduce this on Ubuntu Linux, I found that it either failed with the same error or succeeded in case the hashlib was imported before the actual code. I got the same behaviour on Gentoo Linux with Python 2.6.4 and Fedora 11 and Debian unstable with other versions of Python 2.6. Using openssl s_client (openssl s_client -connect sha256.tbs-internet.com:443 -CAfile chain.pem) give no error, so the problem is not directly with openssl. I attach a sample script with the hashlib import commented out. I also add a pem file with certificates needed for the code to check the server certificate. P.S.- I was able to reproduce the same behaviour with another site using SHA-256 base digests. |
Changing OpenSSL initialization to the following seems to fix the issue (with OpenSSL 0.9.8k and 1.0.0): /* Init OpenSSL */
SSL_load_error_strings();
SSL_library_init();
#ifdef WITH_THREAD
/* note that this will start threading if not already started */
if (!_setup_ssl_threads()) {
return;
}
#endif
OpenSSL_add_all_algorithms(); _hashopenssl.c might need that code too, therefore I'm adding gps to the nosy list. |
Here is a patch. I'm not really happy about the test because it relies on an external test site, and the certificate apparently expires in 2011. |
After several attempts, I've failed generating a self-signed certificate that would reproduce the issue without relying on an external server. Perhaps there's something else than simply the hashing algorithm. In any case I think I'm simply gonna keep the current patch. |
That patch makes no sense. According to SSL_library_init(3SSL), "OpenSSL_add_ssl_algorithms() and SSLeay_add_ssl_algorithms() are synonyms for SSL_library_init()" So it shouldn't really matter which of these you call, and it should be sufficient to call only one of them (or the documentation is incorrect). |
The patch calls OpenSSL_add_all_algorithms(), though. |
Ah, ok. The patch looks fine to me, then. |
Fixed in r80314 (trunk), r80316 (2.6), r80317 (py3k), r80318 (3.1). Thank you! |
Probably test case will fail is sha256 module is not loaded - openssl versions before 0.9.8 |
Yes, this has been fixed in r80375. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: