[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for ‘***.com’. (_ssl.c:1108)

python 3.8.2
imapclient 2.2.0

This is happening on Docker alpine:3.11 (both running on MacOS Catalina 10.15.5, and on Ubuntu 20.04). When running the following code, just trying to instantiate the client, an exception raises (can’t reveal the server name for business purposes):

Code:

import imapclient as ic
import ssl
kwargs = {'port': 993, 'use_uid': True, 'ssl': True, 'timeout': ic.SocketTimeout(connect=15, read=60)}
c = ic.IMAPClient('***.com', **kwargs)

Output:

>>> c = ic.IMAPClient('***.com', **kwargs)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/.../.local/share/virtualenvs/myenv-dHcvPec6/lib/python3.8/site-packages/imapclient/imapclient.py", line 284, in __init__
    self._imap = self._create_IMAP4()
  File "/Users/.../.local/share/virtualenvs/myenv-dHcvPec6/lib/python3.8/site-packages/imapclient/imapclient.py", line 321, in _create_IMAP4
    return tls.IMAP4_TLS(
  File "/Users/.../.local/share/virtualenvs/myenv-dHcvPec6/lib/python3.8/site-packages/imapclient/tls.py", line 44, in __init__
    imaplib.IMAP4.__init__(self, host, port)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/imaplib.py", line 198, in __init__
    self.open(host, port)
  File "/Users/.../.local/share/virtualenvs/myenv-dHcvPec6/lib/python3.8/site-packages/imapclient/tls.py", line 52, in open
    self.sock = wrap_socket(sock, self.ssl_context, host)
  File "/Users/.../.local/share/virtualenvs/myenv-dHcvPec6/lib/python3.8/site-packages/imapclient/tls.py", line 32, in wrap_socket
    return ssl_context.wrap_socket(sock, server_hostname=host)
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for '***.com'. (_ssl.c:1108)

However,

When creating the object with imaplib.IMAP4_SLL, it works

>>> c = IMAP4_SSL(host='***.com', port=993)
>>> c
<imaplib.IMAP4_SSL object at 0x7fd40d2074c0>

When checking with openssl from command line (following this), it also works:


> openssl s_client -showcerts -connect ***.com:993 -servername ***.com
[...]
---
Server certificate
subject=/CN=*.setssl.com
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3465 bytes and written 349 bytes
---
[...]
---

OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=CRAM-MD5] IMAP ready.

After some research… I have discovered that creating the object with a custom SSLContext solves the problem:

import imapclient as ic
import ssl
kwargs = {'port': 993, 'use_uid': True, 'ssl': True, 'timeout': ic.SocketTimeout(connect=15, read=60)}
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
c = ic.IMAPClient('***.com', ssl_context=ctx, **kwargs)

This might be because the SSLContext that uses imapclient by default has an attribute context.check_hostname = True which seems to be the one causing the exception. I wouldn’t like to unset that, it looks safer to keep it that way and the checking should work anyways.

Any hint?

Thank you

mjs / imapclient

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for ‘***.com’. (_ssl.c:1108) #470