SSL Certificate verify failed in Python3.6/3.7

[c1ba350a-0bbf-47e4-861f-104c03de8d8f]

BPO	41239
Nosy	@tiran
Files	19316811113.crt: SSL certificate server_cer.txt server_cer_1.txt

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = 'https://github.com/tiran' closed_at = created_at = labels = ['expert-SSL', 'type-bug'] title = 'SSL Certificate verify failed in Python3.6/3.7' updated_at = user = 'https://bugs.python.org/Chirs' ``` bugs.python.org fields: ```python activity = actor = 'Chirs' assignee = 'christian.heimes' closed = True closed_date = closer = 'christian.heimes' components = ['SSL'] creation = creator = 'Chirs' dependencies = [] files = ['49305', '49306', '49307'] hgrepos = [] issue_num = 41239 keywords = [] message_count = 9.0 messages = ['373286', '373290', '373292', '373294', '373301', '373302', '373304', '373308', '373366'] nosy_count = 2.0 nosy_names = ['christian.heimes', 'Chirs'] pr_nums = [] priority = 'normal' resolution = 'out of date' stage = 'resolved' status = 'closed' superseder = None type = 'behavior' url = 'https://bugs.python.org/issue41239' versions = ['Python 3.6'] ```

[c1ba350a-0bbf-47e4-861f-104c03de8d8f]

I am running the following code in python3.6 to connect to a storage.
[root@controller wuwy]# python3
Python 3.6.8 (default, Jan 11 2019, 02:17:16)
[GCC 8.2.1 20180905 (Red Hat 8.2.1-3)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import pywbem
>>> ip = '193.168.11.113'
>>> user = '193_160_28_29'
>>> password = '193_160_28_29'
>>> url = 'https://193.168.11.113:5989'
>>> ca_certs = '/home/ca.cer'
>>> conn = pywbem.WBEMConnection(url,(user, password),default_namespace='root/example',ca_certs=ca_certs,no_verification=False)
>>> conn.EnumerateInstances('EXAMPLE_StorageProduct')

And I am getting the below error.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1919, in EnumerateInstances
    **extra)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1232, in _imethodcall
    conn_id=self.conn_id)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 776, in wbem_request
    client.endheaders()
  File "/usr/lib64/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 461, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 619, in connect
    return self.sock.connect((self.host, self.port))
  File "/usr/lib64/python3.6/ssl.py", line 1064, in connect
    self._real_connect(addr, False)
  File "/usr/lib64/python3.6/ssl.py", line 1055, in _real_connect
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1032, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    raise ValueError("check_hostname needs server_hostname "
ValueError: check_hostname needs server_hostname argument

When I am running the same code in python3.7, error changed.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_operations.py", line 2494, in EnumerateInstances
    **extra)
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_operations.py", line 1763, in _imethodcall
    conn_id=self.conn_id)
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 824, in wbem_request
    client.endheaders()
  File "/usr/python3/lib/python3.7/http/client.py", line 1224, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/python3/lib/python3.7/http/client.py", line 1016, in _send_output
    self.send(msg)
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 483, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/python3/lib/python3.7/site-packages/pywbem/_cim_http.py", line 661, in connect
    conn_id=conn_id)
pywbem._exceptions.ConnectionError: SSL error <class 'ssl.SSLCertVerificationError'>: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '193.168.11.113'. (_ssl.c:1045); OpenSSL version: OpenSSL 1.1.1c FIPS  28 May 2019

This code works fine with python2.7 version.

And I checked the CN and SAN of the certificate, seems no problem here.

So could anyone tell me what's the problem here?

[tiran]

Are you running Python 2.7 on RHEL 7? Python 2.7 on RHEL 7 does not very certs by defaults, see https://access.redhat.com/articles/2039753

Could you please post the output of 'openssl x509 -text -in path/to/cert' for your certificate?

[c1ba350a-0bbf-47e4-861f-104c03de8d8f]

I am running Python on Centos7. See result in attached file.

[tiran]

Your certificate does not have a subject alternative name extension. CN hostname matching has been deprecated for like 15 years. OpenSSL may ignore the CN and require a proper SAN extension of type IP general name.

[c1ba350a-0bbf-47e4-861f-104c03de8d8f]

You are right. I used openssl.cnf when created a csr, and ignore it when created cer.
Now the code works fine with python3.7, but still cannot work in python3.6.
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1919, in EnumerateInstances
    **extra)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_operations.py", line 1232, in _imethodcall
    conn_id=self.conn_id)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 776, in wbem_request
    client.endheaders()
  File "/usr/lib64/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/lib64/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 461, in send
    self.connect()  # pylint: disable=no-member
  File "/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py", line 619, in connect
    return self.sock.connect((self.host, self.port))
  File "/usr/lib64/python3.6/ssl.py", line 1064, in connect
    self._real_connect(addr, False)
  File "/usr/lib64/python3.6/ssl.py", line 1055, in _real_connect
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1032, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake
    raise ValueError("check_hostname needs server_hostname "
ValueError: check_hostname needs server_hostname argument

Could you please check the attached file for me again?

[tiran]

It's a different issue on 3.6. According to the exception message you are not passing server_hostname to wrap_socket().

[c1ba350a-0bbf-47e4-861f-104c03de8d8f]

I tried to print "self.host" which would be passed to wrap_socket(). It seems no problem.

/usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(616)connect() -> try: (Pdb) p self.host '193.168.11.113' (Pdb) n /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(617)connect() -> self.sock = ctx.wrap_socket(sock, (Pdb) /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(618)connect() -> server_hostname=self.host) (Pdb) /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(619)connect() -> return self.sock.connect((self.host, self.port)) (Pdb) ValueError: check_hostname needs server_hostname argument /usr/local/lib/python3.6/site-packages/pywbem/cim_http.py(619)connect() -> return self.sock.connect((self.host, self.port))

[tiran]

I'm afraid I have to close this issue as OUT-OF-DATE. It's either a bug in pywbem or a 3.6-only bug. Python 3.6 is in security maintenance mode and no longer receive bug fixes.

I suggest that you take this issue to pywbem bug tracker and get assistance there.

[c1ba350a-0bbf-47e4-861f-104c03de8d8f]

OK. Thanks for your suggestion.