ID 334283 - Katana fails to verify X509 certificates

Follow
  1. The Foundry SANDBOX
  2. Bug Tracker
  3. Katana

Problem summary:

Katana fails to verify X509 certificates. Calls to urllib.urlopen() (and similar) fail with an exception when contacting an HTTPS server.

Steps to reproduce:

In the Python tab, run the following:


import urlliburllib.urlopen("https://www.google.com")

Expected behaviour:

The call succeeds.

Actual behaviour:


  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/urllib.py", line 87, in urlopen    return opener.open(url)  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/urllib.py", line 213, in open    return getattr(self, name)(url)  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/urllib.py", line 443, in open_https    h.endheaders(data)  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/httplib.py", line 1038, in endheaders    self._send_output(message_body)  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/httplib.py", line 882, in _send_output    self.send(msg)  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/httplib.py", line 844, in send    self.connect()  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/httplib.py", line 1263, in connect    server_hostname=server_hostname)  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/ssl.py", line 363, in wrap_socket    _context=self)  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/ssl.py", line 611, in __init__    self.do_handshake()  File "/opt/Foundry/Katana3.0v1.001565a/bin/python2.7/lib/python2.7/ssl.py", line 840, in do_handshake    self._sslobj.do_handshake()IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

Workaround:

Set the SSL_CERT_FILE environment variable as follows:


SSL_CERT_FILE=$KATANA_ROOT/bin/python2.7/bin/cacert.pem

Reproduced versions/platforms:

Reproduced in 3.0v1.001665a. Probably valid for all 3.0dev builds since we upgraded to a newer Python that implements PEP 476.

    We're sorry to hear that

    Please tell us why