Open yrro opened 3 weeks ago
Arguably CA bundle files shouldn't included non-ascii bytes. I've reported this against Fedora's ca-certificates
package here.
I just realised that the problem is not with cryptography
, but rather it's a problem within sslyze
itself. Looking at the innermost part of the traceback:
File "/home/sam/.local/share/uv/tools/sslyze/lib64/python3.12/site-packages/sslyze/plugins/certificate_info/trust_stores/trust_store.py", line 55, in __init__
self._x509_store = Store(load_pem_x509_certificates(self.path.read_text().encode("ascii")))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
UnicodeEncodeError: 'ascii' codec can't encode character '\u0151' in position 138456: ordinal not in range(128)
self.path
is a pathlib.Path
. sslyze is opening the CA bundle and turning it into bytes
by encoding it to ascii
, which rejects any characters that can't be represented by ascii
.
If sslyze
would call self.path.read_bytes()
instead then it will avoid needing to encode to bytes via any codec, and no exception will be thrown (and the process of loading the trust store will be a tiny bit faster as well).
Arguably CA bundle files shouldn't included non-ascii bytes. I've reported this against Fedora's ca-certificates package here.
Fedora's ca-certificates
maintainer thinks it's reasonable for this file to contain UTF-8 these days and I don't disagree.
The change in the linked pull request resolves the problem for me.
Describe the bug UnicodeError is thrown when sslyze parses my system's CA certificate authority list.
Here are the problematic bytes in
ca-bundle.crt
. They are in the file because their CA's DN has non-ascii characters in it, and the UTF-8 encoding is tripping upcryptography
.(sslyze currently requires cryptography <43,>42 so maybe this is fixed in a later cryptography version, I will check this later and update.)
You'll see the offset
0x21cd8
being mentioned in the exception below (in decimal, as138456
).To Reproduce Steps to reproduce the behavior:
uv
uvx sslyze --certinfo_ca_file=/etc/pki/tls/certs/ca-bundle.crt --certinfo token.actions.githubusercontent.com
Expected behavior No exception
Python environment (please complete the following information):