Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
False SSL certificate subjectAltName warnings for older Python versions.
See original GitHub issueThe change introduced by #497 causes incorrect deprecation warnings to be generated by older Python versions. Specifically, it looks like if using Python 2.7.2 or older, the warning:
SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SecurityWarning
is generated even though the SSL certificate of the target site has the subjectAltName field.
Test script is:
import urllib3
import certifi
http = urllib3.PoolManager(
cert_reqs='CERT_REQUIRED', # Force certificate check.
ca_certs=certifi.where(), # Path to the Certifi bundle.
)
r = http.request('GET', 'https://collector.newrelic.com/')
print r.status, r.data
The underlying reason is that older Python versions are not returning the subjectAltName field even though it exists in the certificate.
# openssl s_client -connect collector.newrelic.com:443 | tee newrelic.cert
…. lots of output deleted
QUIT
# openssl x509 -inform PEM -in newrelic.cert -text
…. lots of output deleted
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:*.newrelic.com, DNS:newrelic.com
…. lots more output delete
# python2.6
Python 2.6.9 (default, Oct 22 2014, 19:47:46)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import _ssl
>>> _ssl._test_decode_cert('newrelic.cert')
{'notBefore': 'Apr 9 00:00:00 2014 GMT', 'serialNumber': '510F0C495E89A1BEEA2AA572D1D4058E', 'notAfter': 'Apr 16 23:59:59 2015 GMT', 'version': 3, 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'California'),), (('localityName', u'San Francisco'),), (('organizationName', u'New Relic, Inc.'),), (('commonName', u'*.newrelic.com'),)), 'issuer': ((('countryName', u'US'),), (('organizationName', u'GeoTrust Inc.'),), (('commonName', u'GeoTrust SSL CA - G2'),))}
$ python2.7
Python 2.7.2 (default, Oct 11 2012, 20:14:37)
[GCC 4.2.1 Compatible Apple Clang 4.0 (tags/Apple/clang-418.0.60)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import _ssl
>>> _ssl._test_decode_cert('newrelic.cert')
{'notBefore': 'Apr 9 00:00:00 2014 GMT', 'serialNumber': '510F0C495E89A1BEEA2AA572D1D4058E', 'notAfter': 'Apr 16 23:59:59 2015 GMT', 'version': 3, 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'California'),), (('localityName', u'San Francisco'),), (('organizationName', u'New Relic, Inc.'),), (('commonName', u'*.newrelic.com'),)), 'issuer': ((('countryName', u'US'),), (('organizationName', u'GeoTrust Inc.'),), (('commonName', u'GeoTrust SSL CA - G2'),))}
# python2.7
Python 2.7.3 (default, Feb 27 2014, 19:58:35)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import _ssl
>>> _ssl._test_decode_cert('newrelic.cert')
{'subjectAltName': (('DNS', '*.newrelic.com'), ('DNS', 'newrelic.com')), 'notBefore': 'Apr 9 00:00:00 2014 GMT', 'serialNumber': '510F0C495E89A1BEEA2AA572D1D4058E', 'notAfter': 'Apr 16 23:59:59 2015 GMT', 'version': 3, 'subject': ((('countryName', u'US'),), (('stateOrProvinceName', u'California'),), (('localityName', u'San Francisco'),), (('organizationName', u'New Relic, Inc.'),), (('commonName', u'*.newrelic.com'),)), 'issuer': ((('countryName', u'US'),), (('organizationName', u'GeoTrust Inc.'),), (('commonName', u'GeoTrust SSL CA - G2'),))}
# python3.3
Python 3.3.6 (default, Oct 12 2014, 13:56:06)
[GCC 4.6.3] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import _ssl
>>> _ssl._test_decode_cert('newrelic.cert')
{'notBefore': 'Apr 9 00:00:00 2014 GMT', 'subjectAltName': (('DNS', '*.newrelic.com'), ('DNS', 'newrelic.com')), 'version': 3, 'issuer': ((('countryName', 'US'),), (('organizationName', 'GeoTrust Inc.'),), (('commonName', 'GeoTrust SSL CA - G2'),)), 'notAfter': 'Apr 16 23:59:59 2015 GMT', 'serialNumber': '510F0C495E89A1BEEA2AA572D1D4058E', 'subject': ((('countryName', 'US'),), (('stateOrProvinceName', 'California'),), (('localityName', 'San Francisco'),), (('organizationName', 'New Relic, Inc.'),), (('commonName', '*.newrelic.com'),))}
This was found by virtue of @kennethreitz requests module bundling latest urllib3 and producing incorrect warnings all the time.
We are having to resort to ignoring the warning:
with warnings.catch_warnings():
warnings.simplefilter("ignore")
r = session.post(url, params=params, headers=headers,
proxies=proxies, timeout=timeout, data=data,
verify=cert_loc)
If confirmed that older Python versions do not provide this information from a certificate, you possibly should change urllib3 to only generate the warning if using Python 2.7.3 or newer.
Issue Analytics
- State:
- Created 9 years ago
- Comments:18 (10 by maintainers)
Top Results From Across the Web
Why request with ssl certification returns html?
This is because in older Python versions the _ssl module does not return 'subjectAltName' in the set of fields in the SSL certificate....
Read more >ssl — TLS/SSL wrapper for socket objects — Python 3.11.1 ...
SSLContext class helps manage settings and certificates, which can then be inherited by SSL sockets created through the SSLContext.wrap_socket() method. Changed ...
Read more >Troubleshooting SSL - GitLab Docs
This error indicates that an incomplete certificate chain is being presented by the server. To fix this error, you will need to replace...
Read more >Common Name Mismatch Error: effective ways to solve a ...
It is most likely that you will eventually end up on a fraudulent site. ... Most often, when an SSL certificate is purchased...
Read more >1.8.5 SSL SecurityWarning: Certificate has no ...
If the certificate does not have the v3 extension enabled and the subjectAltName set within the certificate, a warning message is displayed when...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
We do not use old versions of Python. We are in the same boat as you yourselves are. You have users/customers who you can’t control and who will use old versions of Python with your software because that is the version of Python their operating system supplies, but which have been patched by the OS provider. You therefore do your due diligence and test with a range of Python versions. That is the only reason we have found this.
If you yourselves were testing with older Python versions and testing sufficiently the functionality of your package you might have come across it yourselves. If you are ignoring the reality that your users will use old versions and aren’t testing with then, then you should be advertising your package as incompatible with or entirely untested with older Python versions.
Alright, let’s behave ourselves. It’s nice to respect each others’ time, and we can all strive to make our lives safer and easier within reason. 😃