New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Certificate verify failed (works fine in 3.6) #78621
Comments
When running the attached script with the attached cert, Python 3.7 raises an exception (see https://paste.pound-python.org/show/VLr84Yn2Fnz6RSKEq3ui/). In Python 3.6, the certificate is being accepted. I don't see anything wrong with the self-signed certificate. You can (hopefully) reproduce this by running minimal_server.py |
The exception message is: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1045) The certificate is not valid for the URL. You are connection to a server by IP address, but the certificate is not valid for that IP address. |
Hi. I don't see why the certificate would not be valid for that address. Python 3.6 also accepts it without any modifications to the script. Output of openssl x509 -in cert.pem -noout -text Certificate:
|
Python 3.6 is a little more forgiving than Python 3.7. Python 3.7 uses OpenSSL's hostname verification algorithms, which interpret the RFCs more strictly. You have to include a SAN field of type IP address. Matching against CN has been deprecated for more than 15 years, see https://bugs.chromium.org/p/chromium/issues/detail?id=308330 |
Cheers! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: