Issue 27003: Python 3.5.1 fails at HTTPSTest with SSL CERT error (original) (raw)

I downloaded the source tar file for Python 3.5.1 and compiled. Upon running make test, it fails at

test_networked_good_cert (test_httplib.HTTPSTest) ... ERROR

Abbreviated Traceback looks like:

====================================================================== ERROR: test_networked_good_cert (test_httplib.HTTPSTest)

Traceback (most recent call last): File "/tmp/bennet/Python-3.5.1/Lib/test/test_httplib.py", line 1325, in test_networked_good_cert h.request('GET', '/') . . . . File "/tmp/local/python-3.5.1/lib/python3.5/ssl.py", line 628, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

I have replicated this on CentOS 7, RHEL 6.5, and Ubuntu 16.04 Xenial with GCC versions 4.8.5, 4.8.5, and 5.3.1, respectively.

There was a previous bug reported about expired certificates that was closed. It appears that it's using CERT_localhost, defined at the top to be keycert.pem, and that appears to be valid:

[bennet@flux-build-centos7-dev test]$ openssl x509 -in keycert.pem -text Certificate: Data: Version: 3 (0x2) Serial Number: 15548457918976213582 (0xd7c7381919afc24e) . . . . Validity Not Before: Oct 8 23:01:56 2010 GMT Not After : Oct 5 23:01:56 2020 GMT

I can replicate the test outside of make with the attached script.

I tried to be complete reporting and searching for this first; I apologize if I missed an obvious solution.

Just for the sake of completeness, I tested outside of the test harness.

/sw/arcts/centos7/python-dev/3.5.1/bin/python3 [bennet@flux-build-centos7-dev test]$ python3 Python 3.5.1 (default, May 11 2016, 08:50:05) [GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux Type "help", "copyright", "credits" or "license" for more information.

import http.client conn = http.client.HTTPSConnection("www.python.org") conn.request("GET", "/") r1 = conn.getresponse() print(r1.status, r1.reason) 200 OK

I think that indicates that it can do certificate verification of some sort and might be an indication that the issue is not with the setup but with the test. There was some discussion of making the tests independent of connectivity in Issue25940.

There are a couple of expired certs in the test directory, but they may not be used; e.g.,

nokia.pem, Not After : Sep 20 23:59:59 2012 GMT sha256.pem Not After : Feb 17 23:59:59 2014 GMT

I should have included this in the first submission. Sorry for any additional mail this may generate.