upload.py: certificate verify failed

[techtonik]

I can't upload review to https://codereview.chromium.org What's wrong with this certificate stuff? It is Python 2.7.10

>python upload.py -s https://codereview.chromium.org -t "Don't fail hash validation"
The following files are not added to version control:
upload.py
Are you sure to continue?(y/N) y
Upload server: https://codereview.chromium.org (change with -s/--server)
Email (login for uploading to https://codereview.chromium.org) [techtonik@gmail.com]:
Password for techtonik@gmail.com:
Traceback (most recent call last):
  File "upload.py", line 2719, in <module>
    main()
  File "upload.py", line 2711, in main
    RealMain(sys.argv)
  File "upload.py", line 2667, in RealMain
    response_body = rpc_server.Send("/upload", body, content_type=ctype)
  File "upload.py", line 446, in Send
    self._Authenticate()
  File "upload.py", line 501, in _Authenticate
    super(HttpRpcServer, self)._Authenticate()
  File "upload.py", line 381, in _Authenticate
    auth_token = self._GetAuthToken(credentials[0], credentials[1])
  File "upload.py", line 325, in _GetAuthToken
    response = self.opener.open(req)
  File "C:\Python27\lib\urllib2.py", line 431, in open
    response = self._open(req, data)
  File "C:\Python27\lib\urllib2.py", line 449, in _open
    '_open', req)
  File "C:\Python27\lib\urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "C:\Python27\lib\urllib2.py", line 1240, in https_open
    context=self._context)
  File "C:\Python27\lib\urllib2.py", line 1197, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

[techtonik]

Testcase:

import urllib2
urllib2.urlopen('https://codereview.appspot.com')

[phistuck]

Works for me. Are you behind a corporate firewall?

[techtonik]

@phistuck no, Vista SP2.

[techtonik]

urllib2.urlopen('https://www.python.org') works ok.

[techtonik]

Posted a question to StackOverflow - https://stackoverflow.com/questions/33140382/troubleshooting-ssl-certificate-verify-failed-error

[andialbrecht]

As already mentioned on the mailing list, connecting to codereview.appspot.com works for me too:

$ python
Python 2.7.10 (default, Sep  8 2015, 17:20:17) 
[GCC 5.1.1 20150618 (Red Hat 5.1.1-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import urllib2
>>> resp = urllib2.urlopen("https://codereview.appspot.com")
>>> print(resp.code)
200
>>> 

[andialbrecht]

Closing this issue. The SO thread has some answers on this topic. In short, the OS on the client side needs to support this. Nothing we can do here.

[techtonik]

@andialbrecht upload.py is not functional on Windows. Why are you closing this ticket? We need to find a solution.

[techtonik]

If we won't find the solution, I think it is right to close the ticket when/if Python 2.7.11 is out or its OpenSSL update.

[techtonik]

The short term solution may be in shipping codereview.appspot.com certificate with upload.by, even though it is flaky.

[phistuck]

@techtonik - it is functional on Windows, it is not functional on your Windows. I am not sure anyone works with Windows Vista on Chrome, though, which is why this may not be maintained as well as more popular versions.

[techtonik]

@phistuck are you sure you have Windows + Python 2.7.10 + _ssl.pyd OpenSSL 1.0.2a ? If yes, then I may look further.

[andialbrecht]

IMO that's something that needs to be fixed in Python (or maybe even on the client since Python 2.7.10 and Win7 works).

I don't think it's a good idea to maintain certificates here in this repo. They go out-of-sync sooner or later and may introduce security risks. What I could think of is adding some kind of "--cert" flag where it's upon the user to use this flag and provide certificates on his own.

[techtonik]

@andialbrecht the upload.py script downloaded from https://codereview.appspot.com may include its own certificate embedded.