0.7.x can't verify wildcard certificates

[GoogleCodeExporter]

These all fail in 0.7.0, .1 and .2:
>>> httplib2.Http().request('https://citrix.com') # certificate is for 
*.citrix.com
>>> httplib2.Http().request('https://en.wikipedia.org') # certificate is for 
*.wikipedia.org
>>> httplib2.Http().request('https://zendesk.com') # certificate is for 
*.zendesk.com

with the following error:
httplib2.SSLHandshakeError: [Errno 1] _ssl.c:499: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

(full stack trace attached).

All three return correct responses in 0.6.0 (ie, they don't throw exceptions)

Accessing the sites in httplib works:
>>> h = HTTPSConnection('en.wikipedia.org')
>>> h.request('GET','/wiki/Main_Page')
>>> r = h.getresponse()
>>> r.status
200

What version of the product are you using? On what operating system?
0.7.0, 0.7.1 and 0.7.2 from PyPi, also default branch from mercurial
Python 2.7.1 under Linux Mint 11, also Python 2.6.4 under RHEL 5.6

Original issue reported on code.google.com by dan.cos...@hiveonline.co.uk on 28 Feb 2012 at 9:27

Attachments:

• versions_and_stacktrace.txt

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Of course httplib.HTTPSConnection will work as it does no verification...

See http://docs.python.org/library/httplib.html#httplib.HTTPSConnection

I was experiencing this same issue, and it is mainly a problem due to lack of 
documentation of changes.  httplib2 performs verification of certificates as of 
version 0.7.0 and thus often connections that used to work are now failing 
because of a failure in verifying certificates.  In my case it was because the 
cacerts.txt file that is provided with httplib2 and used by default only has a 
small subset of the many available CA certificates.

You have two options:

1. Disable SSL certificate verification (NOT RECOMMENDED):

>>> import httplib2
>>> http = httplib2.Http(disable_ssl_certification_validation=True)
>>> http.request('https://en.wikipedia.org')

2. Specify an alternative set of CA certificates:

>>> import httplib2
>>> http = httplib2.Http(ca_certs='/etc/ssl/certs/ca-certificates.crt')
>>> http.request('https://en.wikipedia.org')

Note: The systemwide set of available CA certificates on Ubuntu are available 
in the file /etc/ssl/certs/ca-certificates.crt and they can be updated by 
following the steps available here: 
https://help.ubuntu.com/community/OpenSSL#Importing_a_Certificate_into_the_Syste
m-Wide_Certificate_Authority_Database

I have had plenty of success with this and I don't think it is a bug so much as 
a lack of clear documentation about:

1. How httplib2 should be used for SSL connections.
2. Clear warning that the default cacerts.txt file is a very small subset of 
certificates.
3. That 0.7.0 was a big breaking change regarding SSL connections.

Hope this helps!

Original comment by nickpope...@gmail.com on 7 Mar 2012 at 12:04

[GoogleCodeExporter]

What a prat I am. I plain didn't read the docs for httplib, and so I didn't 
appreciate it didn't do verification - and I got so hung up on the idea of the 
wildcard being the problem I didn't look any further.

Specifying the system-wide certs file works like a charm. Under Red Hat (and 
similar) the certificates are here: /etc/pki/tls/certs/ca-bundle.crt

Thanks for the help, next time I promise to read the documentation more 
thoroughly.

Original comment by dan.cos...@hiveonline.co.uk on 7 Mar 2012 at 2:16

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Original comment by joe.gregorio@gmail.com on 13 Oct 2013 at 3:10

• Changed state: Closed