SSL tests fail with uncaught SSL validation
See original GitHub issueβ Iβm submitting a β¦
- π bug report
- π£ feature request
- β question about the decisions made in the repository
π Describe the bug. What is the current behavior? Running tests on macOS, two tests fail:
2 failed
- cheroot/test/test_ssl.py:192 test_tls_client_auth[VerifyMode.CERT_OPTIONAL-False-localhost-pyopenssl]
- cheroot/test/test_ssl.py:192 test_tls_client_auth[VerifyMode.CERT_REQUIRED-False-localhost-pyopenssl]
β What is the motivation / use case for changing the behavior?
Tests should pass on master.
π‘ To Reproduce
Steps to reproduce the behavior:
- Run
tox -r
on macOS
π‘ Expected behavior
Tests should pass.
π Details
Failures look like:
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ test_tls_client_auth[VerifyMode.CERT_OPTIONAL-False-localhost-pyopenssl] ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
mocker = <pytest_mock.MockFixture object at 0x103995ba8>, tls_http_server = <generator object tls_http_server.<locals>.start_srv at 0x10392c228>, adapter_type = 'pyopenssl'
ca = <trustme.CA object at 0x103995fd0>, tls_certificate = <trustme.LeafCert object at 0x10396bb70>
tls_certificate_chain_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpg0wjfzji.pem'
tls_certificate_private_key_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpii4yp07w.pem'
tls_ca_certificate_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpyv5h7s8l.pem', is_trusted_cert = False, tls_client_identity = 'localhost'
tls_verify_mode = <VerifyMode.CERT_OPTIONAL: 1>
@pytest.mark.parametrize(
'adapter_type',
(
'builtin',
'pyopenssl',
),
)
@pytest.mark.parametrize(
'is_trusted_cert,tls_client_identity',
(
(True, 'localhost'), (True, '127.0.0.1'),
(True, '*.localhost'), (True, 'not_localhost'),
(False, 'localhost'),
),
)
@pytest.mark.parametrize(
'tls_verify_mode',
(
ssl.CERT_NONE, # server shouldn't validate client cert
ssl.CERT_OPTIONAL, # same as CERT_REQUIRED in client mode, don't use
ssl.CERT_REQUIRED, # server should validate if client cert CA is OK
),
)
def test_tls_client_auth(
# FIXME: remove twisted logic, separate tests
mocker,
tls_http_server, adapter_type,
ca,
tls_certificate,
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
tls_ca_certificate_pem_path,
is_trusted_cert, tls_client_identity,
tls_verify_mode,
):
"""Verify that client TLS certificate auth works correctly."""
test_cert_rejection = (
tls_verify_mode != ssl.CERT_NONE
and not is_trusted_cert
)
interface, _host, port = _get_conn_data(ANY_INTERFACE_IPV4)
client_cert_root_ca = ca if is_trusted_cert else trustme.CA()
with mocker.mock_module.patch(
'idna.core.ulabel',
return_value=ntob(tls_client_identity),
):
client_cert = client_cert_root_ca.issue_server_cert(
# FIXME: change to issue_cert once new trustme is out
ntou(tls_client_identity),
)
del client_cert_root_ca
with client_cert.private_key_and_cert_chain_pem.tempfile() as cl_pem:
tls_adapter_cls = get_ssl_adapter_class(name=adapter_type)
tls_adapter = tls_adapter_cls(
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
)
if adapter_type == 'pyopenssl':
tls_adapter.context = tls_adapter.get_context()
tls_adapter.context.set_verify(
_stdlib_to_openssl_verify[tls_verify_mode],
lambda conn, cert, errno, depth, preverify_ok: preverify_ok,
)
else:
tls_adapter.context.verify_mode = tls_verify_mode
ca.configure_trust(tls_adapter.context)
tls_certificate.configure_cert(tls_adapter.context)
tlshttpserver = tls_http_server.send(
(
(interface, port),
tls_adapter,
),
)
interface, _host, port = _get_conn_data(tlshttpserver.bind_addr)
make_https_request = functools.partial(
requests.get,
'https://' + interface + ':' + str(port) + '/',
# Server TLS certificate verification:
verify=tls_ca_certificate_pem_path,
# Client TLS certificate verification:
cert=cl_pem,
)
if not test_cert_rejection:
resp = make_https_request()
assert resp.status_code == 200
assert resp.text == 'Hello world!'
return
with pytest.raises(requests.exceptions.SSLError) as ssl_err:
> make_https_request()
cheroot/test/test_ssl.py:290:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
.tox/python/lib/python3.7/site-packages/requests/api.py:75: in get
return request('get', url, params=params, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/api.py:60: in request
return session.request(method=method, url=url, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/sessions.py:533: in request
resp = self.send(prep, **send_kwargs)
.tox/python/lib/python3.7/site-packages/requests/sessions.py:646: in send
r = adapter.send(request, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/adapters.py:449: in send
timeout=timeout
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:600: in urlopen
chunked=chunked)
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:384: in _make_request
six.raise_from(e, None)
<string>:2: in raise_from
???
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:380: in _make_request
httplib_response = conn.getresponse()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:1321: in getresponse
response.begin()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:296: in begin
version, status, reason = self._read_status()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:257: in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py:589: in readinto
return self._sock.recv_into(b)
.tox/python/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py:294: in recv_into
return self.connection.recv_into(*args, **kwargs)
.tox/python/lib/python3.7/site-packages/OpenSSL/SSL.py:1822: in recv_into
self._raise_ssl_error(self._ssl, result)
.tox/python/lib/python3.7/site-packages/OpenSSL/SSL.py:1647: in _raise_ssl_error
_raise_current_error()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
exception_type = <class 'OpenSSL.SSL.Error'>
def exception_from_error_queue(exception_type):
"""
Convert an OpenSSL library failure into a Python exception.
When a call to the native OpenSSL library fails, this is usually signalled
by the return value, and an error code is stored in an error queue
associated with the current thread. The err library provides functions to
obtain these error codes and textual error messages.
"""
errors = []
while True:
error = lib.ERR_get_error()
if error == 0:
break
errors.append((
text(lib.ERR_lib_error_string(error)),
text(lib.ERR_func_error_string(error)),
text(lib.ERR_reason_error_string(error))))
> raise exception_type(errors)
E OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert unknown ca')]
.tox/python/lib/python3.7/site-packages/OpenSSL/_util.py:54: Error
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_OPTIONAL-False-localhost-pyopenssl] β¨― 84% βββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-localhost-builtin] β 85% βββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-localhost-pyopenssl] β 86% βββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-127.0.0.1-builtin] β 87% βββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-127.0.0.1-pyopenssl] β 88% βββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-*.localhost-builtin] β 89% βββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-*.localhost-pyopenssl] β 90% βββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-not_localhost-builtin] β 90% ββββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-True-not_localhost-pyopenssl] β 91% ββββββββββ
cheroot/test/test_ssl.py::test_tls_client_auth[VerifyMode.CERT_REQUIRED-False-localhost-builtin] β 92% ββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ test_tls_client_auth[VerifyMode.CERT_REQUIRED-False-localhost-pyopenssl] ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
mocker = <pytest_mock.MockFixture object at 0x10395c6d8>, tls_http_server = <generator object tls_http_server.<locals>.start_srv at 0x103a1ae58>, adapter_type = 'pyopenssl'
ca = <trustme.CA object at 0x103ee1160>, tls_certificate = <trustme.LeafCert object at 0x103c2f630>
tls_certificate_chain_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmp78479eyf.pem'
tls_certificate_private_key_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpwdexlrl7.pem'
tls_ca_certificate_pem_path = '/var/folders/c6/v7hnmq453xb6p2dbz1gqc6rr0000gn/T/tmpf3obdeu1.pem', is_trusted_cert = False, tls_client_identity = 'localhost'
tls_verify_mode = <VerifyMode.CERT_REQUIRED: 2>
@pytest.mark.parametrize(
'adapter_type',
(
'builtin',
'pyopenssl',
),
)
@pytest.mark.parametrize(
'is_trusted_cert,tls_client_identity',
(
(True, 'localhost'), (True, '127.0.0.1'),
(True, '*.localhost'), (True, 'not_localhost'),
(False, 'localhost'),
),
)
@pytest.mark.parametrize(
'tls_verify_mode',
(
ssl.CERT_NONE, # server shouldn't validate client cert
ssl.CERT_OPTIONAL, # same as CERT_REQUIRED in client mode, don't use
ssl.CERT_REQUIRED, # server should validate if client cert CA is OK
),
)
def test_tls_client_auth(
# FIXME: remove twisted logic, separate tests
mocker,
tls_http_server, adapter_type,
ca,
tls_certificate,
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
tls_ca_certificate_pem_path,
is_trusted_cert, tls_client_identity,
tls_verify_mode,
):
"""Verify that client TLS certificate auth works correctly."""
test_cert_rejection = (
tls_verify_mode != ssl.CERT_NONE
and not is_trusted_cert
)
interface, _host, port = _get_conn_data(ANY_INTERFACE_IPV4)
client_cert_root_ca = ca if is_trusted_cert else trustme.CA()
with mocker.mock_module.patch(
'idna.core.ulabel',
return_value=ntob(tls_client_identity),
):
client_cert = client_cert_root_ca.issue_server_cert(
# FIXME: change to issue_cert once new trustme is out
ntou(tls_client_identity),
)
del client_cert_root_ca
with client_cert.private_key_and_cert_chain_pem.tempfile() as cl_pem:
tls_adapter_cls = get_ssl_adapter_class(name=adapter_type)
tls_adapter = tls_adapter_cls(
tls_certificate_chain_pem_path,
tls_certificate_private_key_pem_path,
)
if adapter_type == 'pyopenssl':
tls_adapter.context = tls_adapter.get_context()
tls_adapter.context.set_verify(
_stdlib_to_openssl_verify[tls_verify_mode],
lambda conn, cert, errno, depth, preverify_ok: preverify_ok,
)
else:
tls_adapter.context.verify_mode = tls_verify_mode
ca.configure_trust(tls_adapter.context)
tls_certificate.configure_cert(tls_adapter.context)
tlshttpserver = tls_http_server.send(
(
(interface, port),
tls_adapter,
),
)
interface, _host, port = _get_conn_data(tlshttpserver.bind_addr)
make_https_request = functools.partial(
requests.get,
'https://' + interface + ':' + str(port) + '/',
# Server TLS certificate verification:
verify=tls_ca_certificate_pem_path,
# Client TLS certificate verification:
cert=cl_pem,
)
if not test_cert_rejection:
resp = make_https_request()
assert resp.status_code == 200
assert resp.text == 'Hello world!'
return
with pytest.raises(requests.exceptions.SSLError) as ssl_err:
> make_https_request()
cheroot/test/test_ssl.py:290:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
.tox/python/lib/python3.7/site-packages/requests/api.py:75: in get
return request('get', url, params=params, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/api.py:60: in request
return session.request(method=method, url=url, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/sessions.py:533: in request
resp = self.send(prep, **send_kwargs)
.tox/python/lib/python3.7/site-packages/requests/sessions.py:646: in send
r = adapter.send(request, **kwargs)
.tox/python/lib/python3.7/site-packages/requests/adapters.py:449: in send
timeout=timeout
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:600: in urlopen
chunked=chunked)
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:384: in _make_request
six.raise_from(e, None)
<string>:2: in raise_from
???
.tox/python/lib/python3.7/site-packages/urllib3/connectionpool.py:380: in _make_request
httplib_response = conn.getresponse()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:1321: in getresponse
response.begin()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:296: in begin
version, status, reason = self._read_status()
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py:257: in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/socket.py:589: in readinto
return self._sock.recv_into(b)
.tox/python/lib/python3.7/site-packages/urllib3/contrib/pyopenssl.py:294: in recv_into
return self.connection.recv_into(*args, **kwargs)
.tox/python/lib/python3.7/site-packages/OpenSSL/SSL.py:1822: in recv_into
self._raise_ssl_error(self._ssl, result)
.tox/python/lib/python3.7/site-packages/OpenSSL/SSL.py:1647: in _raise_ssl_error
_raise_current_error()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
exception_type = <class 'OpenSSL.SSL.Error'>
def exception_from_error_queue(exception_type):
"""
Convert an OpenSSL library failure into a Python exception.
When a call to the native OpenSSL library fails, this is usually signalled
by the return value, and an error code is stored in an error queue
associated with the current thread. The err library provides functions to
obtain these error codes and textual error messages.
"""
errors = []
while True:
error = lib.ERR_get_error()
if error == 0:
break
errors.append((
text(lib.ERR_lib_error_string(error)),
text(lib.ERR_func_error_string(error)),
text(lib.ERR_reason_error_string(error))))
> raise exception_type(errors)
E OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'tlsv1 alert unknown ca')]
.tox/python/lib/python3.7/site-packages/OpenSSL/_util.py:54: Error
π Environment
- Cheroot version: master (e616c254)
- CherryPy version: n/a
- Python version: 3.7.2
- OS: macOS 10.14.3
- Browser: n/a
π Additional context
Issue Analytics
- State:
- Created 5 years ago
- Comments:25 (24 by maintainers)
Top Results From Across the Web
HTTP Server Test Fails with SSL Error
On the Test Settings page, select the HTTP server test or page load test, and uncheck the Verify SSL certificate box under the...
Read more >8 Ways to Fix SSL Connection Errors on Various Browsers ...
5. How to Fix the SSL Connection Error on Android Β· Open the Chrome browser and access its Settings menu. Β· Go to...
Read more >java - Resolving javax.net.ssl.SSLHandshakeException: sun ...
Here is the original issue. I am getting this error: detailed message sun.security.validator.ValidatorException: PKIX path building failed: sun.security.
Read more >SSL cerfrificaion problem: 'unable to get local issuer certificate'
When ssl certificate problem unable to get local issuer certificate error is caused by a self-signed certificate, the fix is to add the...
Read more >unable to verify the first certificate jest - You.com
ApiService from '@/services/api.service' export ; Axios from 'axios' const ; const baseURL = `${baseDomain}${process.env.VUE_APP_API}` test ...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Iβve actually made CI print it a while back:
urllib==1.24.2
has been released 4 days ago.