ssl.get_server_certificate() does not work for IPv6 addresses

[pwouters]

BPO	11811
Nosy	@pitrou
Files	ssl_ipv6.diff: patch adding IPv6 support is_ipv6_enabled.diff: IPV6_ENABLED support

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2011-04-28.17:26:48.103>
created_at = <Date 2011-04-09.21:18:19.972>
labels = ['easy', 'type-feature', 'library']
title = 'ssl.get_server_certificate() does not work for IPv6 addresses'
updated_at = <Date 2011-04-28.17:26:48.101>
user = 'https://bugs.python.org/pwouters'

bugs.python.org fields:

activity = <Date 2011-04-28.17:26:48.101>
actor = 'pitrou'
assignee = 'none'
closed = True
closed_date = <Date 2011-04-28.17:26:48.103>
closer = 'pitrou'
components = ['Library (Lib)']
creation = <Date 2011-04-09.21:18:19.972>
creator = 'pwouters'
dependencies = []
files = ['21818', '21819']
hgrepos = []
issue_num = 11811
keywords = ['patch', 'easy']
message_count = 7.0
messages = ['133422', '133424', '134618', '134622', '134648', '134706', '134707']
nosy_count = 4.0
nosy_names = ['pitrou', 'neologix', 'python-dev', 'pwouters']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'enhancement'
url = 'https://bugs.python.org/issue11811'
versions = ['Python 3.3']

[pwouters]

ssl.get_server_certificate() does not work for IPv6 addresses:

>>> ssl.get_server_certificate( ("2001:888:2003:1004:c2ff:eeff:fe00:133",443))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python2.7/ssl.py", line 403, in get_server_certificate
    s.connect(addr)
  File "/usr/lib64/python2.7/ssl.py", line 292, in connect
    socket.connect(self, addr)
  File "/usr/lib64/python2.7/socket.py", line 222, in meth
    return getattr(self._sock,name)(*args)
socket.gaierror: [Errno -9] Address family for hostname not supported

[pitrou]

Confirmed. In the meantime, you can connect manually using socket.create_connection():

>>> import ssl, socket
>>> conn = socket.create_connection(("2001:888:2003:1004:c2ff:eeff:fe00:133", 443))
>>> sock = ssl.wrap_socket(conn)
>>> ssl.DER_cert_to_PEM_cert(sock.getpeercert(True))
'-----BEGIN CERTIFICATE-----\nMIID8DCCA1mgAwIBAgICVVUwDQYJKoZIhvcNAQEFBQAwgbExCzAJBgNVBAYTAi0t\nMRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK\nExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV\nbml0MRkwFwYDVQQDExB3cC54ZWxlcmFuY2UubmV0MSQwIgYJKoZIhvcNAQkBFhVy\nb290QHdwLnhlbGVyYW5jZS5uZXQwHhcNMTEwNDA4MjM0MzE3WhcNMTIwNDA3MjM0\nMzE3WjCBsTELMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UE\nBxMIU29tZUNpdHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsT\nFlNvbWVPcmdhbml6YXRpb25hbFVuaXQxGTAXBgNVBAMTEHdwLnhlbGVyYW5jZS5u\nZXQxJDAiBgkqhkiG9w0BCQEWFXJvb3RAd3AueGVsZXJhbmNlLm5ldDCBnzANBgkq\nhkiG9w0BAQEFAAOBjQAwgYkCgYEAsLBCgvH5g8ypkuufFQ55BFoWcjpAocsRV+jN\nW5zylXzM7F9/cMyTli757JGRdwL0l+bLPdojdYwKb6XjTWfJonqentBMG6iktLXZ\n66oUQl77UHOyL7XKynmO6wSGFd/qAoA8O5O9IRLPNcD4+NMTQjGSMFPvjnUnOSH2\n8nMVmZUCAwEAAaOCARMwggEPMB0GA1UdDgQWBBRFGGojncjKvGfxjgU8EOapc0Yi\nyjCB3wYDVR0jBIHXMIHUgBRFGGojncjKvGfxjgU8EOapc0YiyqGBt6SBtDCBsTEL\nMAkGA1UEBhMCLS0xEjAQBgNVBAgTCVNvbWVTdGF0ZTERMA8GA1UEBxMIU29tZUNp\ndHkxGTAXBgNVBAoTEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsTFlNvbWVPcmdh\nbml6YXRpb25hbFVuaXQxGTAXBgNVBAMTEHdwLnhlbGVyYW5jZS5uZXQxJDAiBgkq\nhkiG9w0BCQEWFXJvb3RAd3AueGVsZXJhbmNlLm5ldIICVVUwDAYDVR0TBAUwAwEB\n/zANBgkqhkiG9w0BAQUFAAOBgQCnLIAJ8ghuqUUiVOuq6tiRby65dh+7L1ApSp8G\nwusWF/rYugvqUxL1O1vatd1ptyXpoCLM0XzQ5sBtY0yS8IjMON9++Uu+u5IkQ+24\nkwvpgWp3lX8Zuxhbnmym/LGoJq4PgqXl1bsGJ+SIALQ31g7nrNE2HQz1IYRQEj/k\neG8F7g==\n-----END CERTIFICATE-----\n'

[neologix]

A patch is attached, along with corresponding test.
Notes:

• since I don't have an IPv6 internet connectivity, I could only test it locally
• I chose 'ipv6.google.com' as SSL server for the test. If it's a problem, I can change it for svn.python.org (it'll just take a couple more lines to make sure that we're using IPv6 and not IPv4)
• while writting the test, I needed a way to find whether IPv6 is supported on the current host (socket.has_ipv6 only tells you that the interpreter has been built with IPv6 support, not that the OS has an IPv6 stack enabled). So instead of rewritting what's already done in test_socket, I added a new is_ipv6_enabled function in Lib/test/support.py, and modified test_socket, test_ftplib and test_ssl to use it. This patch (is_ipv6_enabled.diff) must be applied before ssl_ipv6.diff.

[pitrou]

Hello,

This patch (is_ipv6_enabled.diff) must be applied before
ssl_ipv6.diff.

is_ipv6_enabled.diff is fine.
As for ssl_ipv6.diff, it fails on certificate verification:

======================================================================
ERROR: test_get_server_certificate (test.test_ssl.NetworkedTests)
----------------------------------------------------------------------

Traceback (most recent call last):
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 630, in test_get_server_certificate
    _test_get_server_certificate('ipv6.google.com', 443)
  File "/home/antoine/cpython/default/Lib/test/test_ssl.py", line 622, in _test_get_server_certificate
    pem = ssl.get_server_certificate((host, port), ca_certs=SVN_PYTHON_ORG_ROOT_CERT)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 548, in get_server_certificate
    cert_reqs=cert_reqs, ca_certs=ca_certs)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 498, in wrap_socket
    ciphers=ciphers)
  File "/home/antoine/cpython/default/Lib/ssl.py", line 255, in __init__
    raise x
  File "/home/antoine/cpython/default/Lib/ssl.py", line 251, in __init__
    self.do_handshake()
  File "/home/antoine/cpython/default/Lib/ssl.py", line 430, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:389: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I think you should simply use ca_certs=None when testing with the Google
host.

[neologix]

As for ssl_ipv6.diff, it fails on certificate verification:

Of course.
The new version should fix this (tested on google.com).

is_ipv6_enabled.diff is fine.

Since IPv6 capability is unlikely to change in the middle of a test, I replaced the function is_ipv6_enabled() by a boolean IPV6_ENABLED. That way, it's closer to socket.has_ipv6, and spares a socket creation/bind/close at each call.

[python-dev]

New changeset 0518f32cb747 by Antoine Pitrou in branch 'default':
Issue bpo-11811: Factor out detection of IPv6 support on the current host
http://hg.python.org/cpython/rev/0518f32cb747

New changeset d3166c359714 by Antoine Pitrou in branch 'default':
Issue bpo-11811: ssl.get_server_certificate() is now IPv6-compatible. Patch
http://hg.python.org/cpython/rev/d3166c359714

[pitrou]

Committed, thank you!