search

brandon-rhodes / fopnp

Foundations of Python Network Programming (Apress) — scripts and examples
1.37k stars 640 forks source link

chapter06/safe_tls.py does not work with Python 3.6 #24

Closed pmav99 closed 7 years ago

pmav99 commented 7 years ago

The server:

$ /usr/bin/python3.6 safe_tls.py -s localhost.pem localhost 8000
Listening at interface 'localhost' and port 8000
Connection from host '127.0.0.1' and port 40132
Traceback (most recent call last):
  File "safe_tls.py", line 50, in <module>
    server(args.host, args.port, args.s, args.a)
  File "safe_tls.py", line 35, in server
    ssl_sock = context.wrap_socket(raw_sock, server_side=True)
  File "/usr/lib/python3.6/ssl.py", line 401, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 808, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:749)

The client:

$ /usr/bin/python3.6 safe_tls.py -s localhost.pem localhost 8000
Listening at interface 'localhost' and port 8000
Connection from host '127.0.0.1' and port 40132
Traceback (most recent call last):
  File "safe_tls.py", line 50, in <module>
    server(args.host, args.port, args.s, args.a)
  File "safe_tls.py", line 35, in server
    ssl_sock = context.wrap_socket(raw_sock, server_side=True)
  File "/usr/lib/python3.6/ssl.py", line 401, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib/python3.6/ssl.py", line 808, in __init__
    self.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 1061, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:749)

At the same time, using python3.4 works just fine

$ /usr/bin/python3.4 safe_tls.py -a ca.crt localhost 8000
Connected to host 'localhost' and port 8000
b'Simple is better than complex.'

$ /usr/bin/python3.4 safe_tls.py -s localhost.pem localhost 8000
Listening at interface 'localhost' and port 8000
Connection from host '127.0.0.1' and port 40140

I guess that this is normal behavior and that the fix is to regenerate the certificates.

brandon-rhodes commented 7 years ago

I am confused in the other direction: about why it works without error on Python 3.4, since unknown ca seems a very reasonable response from the client since it indeed has no way to recognize the CA as a valid one. To get the client to accept the server's certificate, you need to provide the CA as the client's base trusted authority — try this and see how it behaves under Python 3.6 on your system:

$ python2.7 safe_tls.py -a ca.crt localhost 8000
Connected to host 'localhost' and port 8000
'Simple is better than complex.'

Let me know what it does, and good luck!

song-wei commented 7 years ago

[root@cacti geo_env]# /usr/local/python3/bin/python3.6 safe_tls.py -a ca.crt localhost 1060 Connected to host 'localhost' and port 1060 b'Simple is better than complex.'

brandon-rhodes commented 7 years ago

It worked — wonderful! Are there any further issues we should resolve before closing this issue, do you think?

song-wei commented 7 years ago

I'm ok with this chapter, you can close it. Thank you.