-
-
Notifications
You must be signed in to change notification settings - Fork 29.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ssl.get_server_certificate() does not work for IPv6 addresses #56020
Comments
ssl.get_server_certificate() does not work for IPv6 addresses: >>> ssl.get_server_certificate( ("2001:888:2003:1004:c2ff:eeff:fe00:133",443))
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python2.7/ssl.py", line 403, in get_server_certificate
s.connect(addr)
File "/usr/lib64/python2.7/ssl.py", line 292, in connect
socket.connect(self, addr)
File "/usr/lib64/python2.7/socket.py", line 222, in meth
return getattr(self._sock,name)(*args)
socket.gaierror: [Errno -9] Address family for hostname not supported |
Confirmed. In the meantime, you can connect manually using socket.create_connection(): >>> import ssl, socket
>>> conn = socket.create_connection(("2001:888:2003:1004:c2ff:eeff:fe00:133", 443))
>>> sock = ssl.wrap_socket(conn)
>>> ssl.DER_cert_to_PEM_cert(sock.getpeercert(True))
'-----BEGIN CERTIFICATE-----\nMIID8DCCA1mgAwIBAgICVVUwDQYJKoZIhvcNAQEFBQAwgbExCzAJBgNVBAYTAi0t\nMRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK\nExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV\nbml0MRkwFwYDVQQDExB3cC54ZWxlcmFuY2UubmV0MSQwIgYJKoZIhvcNAQkBFhVy\nb290QHdwLnhlbGVyYW5jZS5uZXQwHhcNMTEwNDA4MjM0MzE3WhcNMTIwNDA3MjM0\nMzE3WjCBsTELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UE\nBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsT\nFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxGTAXBgNVBAMTEHdwLnhlbGVyYW5jZS5u\nZXQxJDAiBgkqhkiG9w0BCQEWFXJvb3RAd3AueGVsZXJhbmNlLm5ldDCBnzANBgkq\nhkiG9w0BAQEFAAOBjQAwgYkCgYEAsLBCgvH5g8ypkuufFQ55BFoWcjpAocsRV+jN\nW5zylXzM7F9/cMyTli757JGRdwL0l+bLPdojdYwKb6XjTWfJonqentBMG6iktLXZ\n66oUQl77UHOyL7XKynmO6wSGFd/qAoA8O5O9IRLPNcD4+NMTQjGSMFPvjnUnOSH2\n8nMVmZUCAwEAAaOCARMwggEPMB0GA1UdDgQWBBRFGGojncjKvGfxjgU8EOapc0Yi\nyjCB3wYDVR0jBIHXMIHUgBRFGGojncjKvGfxjgU8EOapc0YiyqGBt6SBtDCBsTEL\nMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNp\ndHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdh\nbml6YXRpb25hbFVuaXQxGTAXBgNVBAMTEHdwLnhlbGVyYW5jZS5uZXQxJDAiBgkq\nhkiG9w0BCQEWFXJvb3RAd3AueGVsZXJhbmNlLm5ldIICVVUwDAYDVR0TBAUwAwEB\n/zANBgkqhkiG9w0BAQUFAAOBgQCnLIAJ8ghuqUUiVOuq6tiRby65dh+7L1ApSp8G\nwusWF/rYugvqUxL1O1vatd1ptyXpoCLM0XzQ5sBtY0yS8IjMON9++Uu+u5IkQ+24\nkwvpgWp3lX8Zuxhbnmym/LGoJq4PgqXl1bsGJ+SIALQ31g7nrNE2HQz1IYRQEj/k\neG8F7g==\n-----END CERTIFICATE-----\n' |
A patch is attached, along with corresponding test.
|
Hello,
is_ipv6_enabled.diff is fine. ====================================================================== Traceback (most recent call last):
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 630, in test_get_server_certificate
_test_get_server_certificate('ipv6.google.com', 443)
File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 622, in _test_get_server_certificate
pem = ssl.get_server_certificate((host, port), ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
File "/home/antoine/cpython/default/Lib/ssl.py", line 548, in get_server_certificate
cert_reqs=cert_reqs, ca_certs=ca_certs)
File "/home/antoine/cpython/default/Lib/ssl.py", line 498, in wrap_socket
ciphers=ciphers)
File "/home/antoine/cpython/default/Lib/ssl.py", line 255, in __init__
raise x
File "/home/antoine/cpython/default/Lib/ssl.py", line 251, in __init__
self.do_handshake()
File "/home/antoine/cpython/default/Lib/ssl.py", line 430, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:389: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I think you should simply use ca_certs=None when testing with the Google |
Of course.
Since IPv6 capability is unlikely to change in the middle of a test, I replaced the function is_ipv6_enabled() by a boolean IPV6_ENABLED. That way, it's closer to socket.has_ipv6, and spares a socket creation/bind/close at each call. |
New changeset 0518f32cb747 by Antoine Pitrou in branch 'default': New changeset d3166c359714 by Antoine Pitrou in branch 'default': |
Committed, thank you! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: