Issue 37079: PEM cadata causes ssl.SSLError: nested asn1 error (original) (raw)

Issue37079

Created on 2019-05-28 14:25 by Jizhou Yang, last changed 2022-04-11 14:59 by admin. This issue is now closed.

Messages (3)
msg343785 - (view)	Author: Jizhou Yang (Jizhou Yang)	Date: 2019-05-28 14:36
Loading cadata in PEM format results in a nested asn1 error. Workaround is to convert cadata to unicode. Minimum code for reproducing the issue: >>>import ssl >>> with open('ca.crt') as f: ... ca_crt = f.read() ... >>> c = ssl.create_default_context() >>> c.load_verify_locations(cadata=ca_crt) Traceback (most recent call last): File "", line 1, in ssl.SSLError: nested asn1 error (_ssl.c:2902) With workaround to make it work: >>>import ssl >>> with open('ca.crt') as f: ... ca_crt = f.read() ... >>> c = ssl.create_default_context() >>> c.load_verify_locations(cadata=unicode(ca_crt)) The issue is annoying as the documentation explicitly states cadata to be "either an ASCII string of one or more PEM-encoded certificates...". Furthermore the unicode function is not present in Python 3.x, making the workaround version-dependent.
msg343787 - (view)	Author: Christian Heimes (christian.heimes) *	Date: 2019-05-28 15:04
The documentation refers to ASCII string as Python 3-style ASCII text object. In Python 2, that's the unicode data type. The feature was backported from Python 3. I guess the documentation was directly taken from Python 3's documentation and not updated to reflect Python 2's quirky str type. You can use the io module to get the proper text type on Python 2 and 3. import io with io.open('ca.crt') as f: ca_crt = f.read()
msg343812 - (view)	Author: Jizhou Yang (Jizhou Yang)	Date: 2019-05-28 18:14
Thanks a lot for the quick answer! Verified that the proposed solution works with PEM certificates in both Python 2 and 3.