python - Troubleshooting "ssl certificate verify failed" error

Question

On Windows Vista SP2 + Python 2.7.10 I can connect to https://www.python.org, but not to https://codereview.appspot.com

The script:

HOST1 = 'https://www.python.org'
HOST2 = 'https://codereview.appspot.com'

import urllib2
print HOST1
urllib2.urlopen(HOST1)
print HOST2
urllib2.urlopen(HOST2)

And the output:

E:>py test.py
https://www.python.org
https://codereview.appspot.com
Traceback (most recent call last):
  File "test.py", line 9, in <module>
    urllib2.urlopen(HOST2)
  File "C:Python27liburllib2.py", line 158, in urlopen
    return opener.open(url, data, timeout)
  File "C:Python27liburllib2.py", line 435, in open
    response = self._open(req, data)
  File "C:Python27liburllib2.py", line 453, in _open
    '_open', req)
  File "C:Python27liburllib2.py", line 413, in _call_chain
    result = func(*args)
  File "C:Python27liburllib2.py", line 1244, in https_open
    context=self._context)
  File "C:Python27liburllib2.py", line 1201, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

How can I troubleshoot, what exactly is wrong with https://codereview.appspot.com/ ?

Answer 1

My guess is that it is related to the alternative chain handling in OpenSSL, as described in detail in Python Urllib2 SSL error. Although Python uses the windows CA store to get the trusted root certificates the validation of the trust chain itself is done within OpenSSL.

According to "Python 2.7.10 Released" Python 2.7.10 on Windows includes OpenSSL 1.0.2a but the fixes regarding alternative chains were done in 1.0.2b only (and had to be fixed fast afterwards because they contained a serious security bug).

If you look at the SSLLabs report for codereview.appspot.com you can see that there are multiple trust chains which probably causes the problem. Contrary to that python.org only has a single trust chain.

To work around the problem it might be necessary to use your own root CA store which must contain the certificate for "/C=US/O=Equifax/OU=Equifax Secure Certificate Authority" to verify codereview.appspot.com correctly. The certificate can be found here and you can give it with the cafile parameter to urllib2.urlopen.