[Python-Dev] Proposal for better SSL errors (original) (raw)
Antoine Pitrou solipsis at pitrou.net
Sat May 26 21:28:51 CEST 2012
- Previous message: [Python-Dev] How to build a browser in Paython. cannot import webkit & object.
- Next message: [Python-Dev] Proposal for better SSL errors
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
In http://bugs.python.org/issue14837 I have attached a proof-of-concept patch to improve the exceptions raised by the ssl module when OpenSSL signals an error. The current situation is quite dismal, since you get a sometimes cryptic error message with no viable opportunities for programmatic introspection:
ctx = ssl.SSLContext(ssl.PROTOCOLTLSv1) ctx.verifymode = ssl.CERTREQUIRED sock = socket.createconnection(("svn.python.org", 443)) sock = ctx.wrapsocket(sock) Traceback (most recent call last): [...] ssl.SSLError: [Errno 1] _ssl.c:420: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
SSLError instances only have a "errno" attribute which doesn't actually contain a meaningful value.
With the posted patch, the above error becomes:
ctx = ssl.SSLContext(ssl.PROTOCOLTLSv1) ctx.verifymode = ssl.CERTREQUIRED sock = socket.createconnection(("svn.python.org", 443)) sock = ctx.wrapsocket(sock) Traceback (most recent call last): [...] ssl.SSLError: [Errno 5] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:494) [88296 refs]
Not only does the error string contain more valuable information (the mnemonics "SSL" and "CERTIFICATE_VERIFY_FAILED" indicate, respectively, in which subpart of OpenSSL and which precise error occurred), but they are also introspectable:
e = sys.lastvalue e.library 'SSL' e.reason 'CERTIFICATE_VERIFY_FAILED'
(these mnemonics correspond to OpenSSL's own #define'd numeric codes. I find it more Pythonic to expose the mnemonics than the numbers, though. Of course, the numbers <-> mnemnonics mappings can be separately exposed)
You'll note there is still a "Errno 5" in that error message; I don't really know what to do with it. Hard-wiring the errno attribute to something like None might break existing software, although that would be unlikely since the current errno value is quite meaningless and confusing (it has nothing to do with POSIX errnos).
To clarify a bit my request, I am asking for feedback on the principle more than on the implementation right now.
Regards
Antoine.
- Previous message: [Python-Dev] How to build a browser in Paython. cannot import webkit & object.
- Next message: [Python-Dev] Proposal for better SSL errors
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]