Certificate verify failed (works fine in 3.6)

[lgrahl]

BPO	34440
Nosy	@tiran, @lgrahl
Files	minimal_server.zip

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/tiran'
closed_at = <Date 2018-08-20.11:43:12.576>
created_at = <Date 2018-08-20.11:22:01.296>
labels = ['expert-SSL', 'type-bug', '3.7', 'invalid']
title = 'Certificate verify failed (works fine in 3.6)'
updated_at = <Date 2018-08-20.13:11:09.168>
user = 'https://github.com/lgrahl'

bugs.python.org fields:

activity = <Date 2018-08-20.13:11:09.168>
actor = 'Lennart Grahl'
assignee = 'christian.heimes'
closed = True
closed_date = <Date 2018-08-20.11:43:12.576>
closer = 'christian.heimes'
components = ['SSL']
creation = <Date 2018-08-20.11:22:01.296>
creator = 'Lennart Grahl'
dependencies = []
files = ['47754']
hgrepos = []
issue_num = 34440
keywords = []
message_count = 5.0
messages = ['323783', '323784', '323785', '323786', '323788']
nosy_count = 2.0
nosy_names = ['christian.heimes', 'Lennart Grahl']
pr_nums = []
priority = 'normal'
resolution = 'not a bug'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue34440'
versions = ['Python 3.7']

[lgrahl]

When running the attached script with the attached cert, Python 3.7 raises an exception (see https://paste.pound-python.org/show/VLr84Yn2Fnz6RSKEq3ui/). In Python 3.6, the certificate is being accepted.

I don't see anything wrong with the self-signed certificate.

You can (hopefully) reproduce this by running minimal_server.py

[tiran]

The exception message is:

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '127.0.0.1'. (_ssl.c:1045)

The certificate is not valid for the URL. You are connection to a server by IP address, but the certificate is not valid for that IP address.

[lgrahl]

Hi.

I don't see why the certificate would not be valid for that address. Python 3.6 also accepts it without any modifications to the script.

Output of openssl x509 -in cert.pem -noout -text

Certificate:
Data:
Version: 3 (0x2)
Serial Number:
bc:28:67:9a:b0:fe:d6:b8
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = 127.0.0.1
Validity
Not Before: Mar 23 16:52:01 2017 GMT
Not After : Mar 21 16:52:01 2027 GMT
Subject: CN = 127.0.0.1
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:9d:e3:f2:f6:e2:8c:f3:25:82:3e:9e:bc:c5:69:
27:34:be:45:89:4a:51:ce:67:4e:b8:a0:b1:a2:bd:
fa:39:f9:38:85:a3:9c:a6:c4:c9:78:24:c7:17:5c:
2b:00:af:7f:73:e2:49:68:9c:37:29:ae:69:bf:b5:
49:06:a8:b8:1d
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
X509v3 Subject Key Identifier:
17:66:86:40:B1:C4:BF:77:09:C7:DC:9F:4D:78:4A:BF:07:19:AD:8C
X509v3 Authority Key Identifier:
keyid:17:66:86:40:B1:C4:BF:77:09:C7:DC:9F:4D:78:4A:BF:07:19:AD:8C

        X509v3 Basic Constraints: 
            CA:TRUE
Signature Algorithm: ecdsa-with-SHA256
     30:44:02:20:09:d2:c1:85:f9:c5:7f:78:3e:cc:90:78:25:dc:
     9e:76:ef:62:7a:e5:38:0a:a1:6c:c6:27:af:ed:ec:1d:12:06:
     02:20:5d:d0:de:8e:46:ee:e3:67:35:66:fe:11:6e:56:b5:70:
     72:16:33:92:66:0f:6c:da:51:0c:74:d8:c1:b8:8f:b5

[tiran]

Python 3.6 is a little more forgiving than Python 3.7. Python 3.7 uses OpenSSL's hostname verification algorithms, which interpret the RFCs more strictly. You have to include a SAN field of type IP address. Matching against CN has been deprecated for more than 15 years, see https://bugs.chromium.org/p/chromium/issues/detail?id=308330

[lgrahl]

Cheers!