Thanks Jeffrey,
The example code was the result of some testing I was doing – the PyPi system URL (commented out) is where I am seeing this behavior. This behavior is observed prom a packaged application using Pyinstaller to generate the final executable that is installed on the consumers system. Thanks. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ Risk always exists, but trust must be earned and awarded.™ https://businesscyberguardian.com/ Email: d...@businesscyberguardian.com Tel: +1 978-696-1788 From: Jeffrey Walton <noloa...@gmail.com> Sent: Saturday, December 28, 2024 8:49 AM To: d...@businesscyberguardian.com; curl-users - the curl tool <curl-users@lists.haxx.se> Subject: Re: Strange behavior processing SSL certs between a Windows 11 system running Python 3.13.1 and a Windows 10 system running Python 3.8.5 On Sat, Dec 28, 2024 at 8:34 AM Dick Brooks via curl-users <curl-users@lists.haxx.se <mailto:curl-users@lists.haxx.se> > wrote: [...] I’ve encountered some unexpected behavior between two systems using the exact same piece of code – any ideas why this might be happening: FROM ROADWARRIOR (Win 11) (shows the signing certificate info) ----> ServerURL : https://pypi.org/project/sag-reader/1.0.4/#files ----> Subject : CN=GlobalSign Atlas R3 DV TLS CA 2024 Q2 ----> Issuer : CN=GlobalSign ----> SourceCertificateComplete : [(('Subject', 'C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2024 Q2'), ('Issuer', 'OU=GlobalSign Root CA - R3, O=GlobalSign, CN=GlobalSign'), ('Version', '2'), ('Serial Number', '00:80:4e:00:3a:27:2b:c5:18:e3:4d:a4:b1:fc:9b:78:33:'), ('Signature Algorithm', 'sha256WithRSAEncryption'), ('Start Date', '2024-01-17 03:24:32 GMT'), ('Expire Date', '2026-01-17 00:00:00 GMT') FROM WARP9 (Win 10) (shows the issued SSL Certificate subject info – the leaf node) ----> ServerURL : https://pypi.org/project/sag-reader/1.0.4/#files ----> Subject : CN=pypi.org <http://pypi.org> ----> Issuer : CN=GlobalSign Atlas R3 DV TLS CA 2024 Q2 ----> SourceCertificateComplete : [(('Subject', 'CN=pypi.org <http://pypi.org> '), ('Issuer', 'C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2024 Q2'), ('Version', '2'), ('Serial Number', '01:06:a3:43:b1:24:03:82:30:1a:c9:27:d9:3f:23:4b:'), ('Signature Algorithm', 'sha256WithRSAEncryption'), ('Start Date', '2024-04-23 04:22:05 GMT'), ('Expire Date', '2025-05-25 04:22:04 GMT') NOTE: I receive the same results on both machines when I run the code interactively (the win 10 results): import pycurl, certifi curl = pycurl.Curl() curl.setopt(pycurl.CAINFO, certifi.where()) curl.setopt(pycurl.SSL_VERIFYPEER, 1) curl.setopt(pycurl.SSL_VERIFYHOST, 2) curl.setopt(pycurl.OPT_CERTINFO, 1) curl.setopt(pycurl.NOBODY, 1) #ServerURL="https://pypi.org/project/sag-reader/"; ServerURL="https://softwareassuranceguardian.com/SAG_CTR"; curl.setopt(pycurl.URL, ServerURL) # https://pypi.org/project/sag-reader/ buffer = curl.perform_rb() ServerCert = curl.getinfo(pycurl.INFO_CERTINFO) certinfo = ServerCert[0] print(certinfo) certinfo_dict = dict() for entry in certinfo: certinfo_dict[entry[0]] = entry[1] print(certinfo_dict[entry[0]]) for item in certinfo_dict['Subject'].split(", "): Cert_Subject = item print("ITEM: ", item) if item.find("=") != -1 : fieldname = item.split("=")[0].strip() fieldvalue = item.split("=")[1] if fieldname == "CN" : CN_Name = fieldvalue print("CN= ", CN_Name) It is not clear (to me) what your complaint is. You did not state it other than to say you experienced unexpected behavior. To state the obvious: the dumps you are showing are for the host at pypi.org <http://pypi.org> . The code you are showing is hardcoded for the host softwareassuranceguardian.com <http://softwareassuranceguardian.com> . You can use OpenSSL to dump the web server's certificate. Maybe that will give you a good baseline. $ openssl s_client -connect softwareassuranceguardian.com:443 <http://softwareassuranceguardian.com:443> -servername softwareassuranceguardian.com <http://softwareassuranceguardian.com> | openssl x509 -text -noout Connecting to 18.220.83.76 depth=0 CN=softwareassuranceguardian.com <http://softwareassuranceguardian.com> verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN=softwareassuranceguardian.com <http://softwareassuranceguardian.com> verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN=softwareassuranceguardian.com <http://softwareassuranceguardian.com> verify return:1 Certificate: Data: Version: 3 (0x2) Serial Number: 4721225938421497953 (0x418529fa13f94061) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 Validity Not Before: Apr 25 07:09:28 2024 GMT Not After : Apr 23 11:58:54 2025 GMT Subject: CN=softwareassuranceguardian.com <http://softwareassuranceguardian.com> Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b8:f8:06:85:57:b7:a6:50:22:5e:90:a2:d5:23: f9:6e:c0:aa:e4:da:ba:66:9e:1d:38:fc:e4:98:ab: 93:59:33:1e:93:5e:c5:e5:c7:e4:c4:91:71:ce:4b: 40:44:65:36:0b:0e:32:ac:b8:c5:68:e5:db:ce:ce: 33:02:3c:32:ce:06:27:1c:f0:79:0e:a7:41:de:7b: c9:d6:be:0d:ed:6a:37:61:7c:8b:a2:b2:8f:6b:da: 66:70:3a:13:a8:d4:77:ca:cb:d4:9e:84:4a:d8:7f: 54:19:fd:74:38:d7:b8:47:41:f1:0d:18:9a:75:6d: 43:16:ee:58:b5:95:7d:b0:8c:05:99:33:4f:ce:23: aa:30:1d:76:fb:5f:59:11:d2:57:d8:43:8c:21:9a: 28:85:1c:e7:2f:2e:5e:88:a3:1b:09:b5:8a:4e:26: 5a:6d:8c:7e:9b:8a:0c:5c:6a:b6:b4:4d:4c:ef:ed: 91:3c:0d:4c:06:69:3e:fa:ad:20:10:25:47:f7:dd: 73:9f:37:74:12:20:65:d6:cd:d3:3c:9b:94:95:97: e1:2d:ea:97:36:fd:f6:ff:40:ba:59:3b:c9:a6:e2: e5:60:e4:03:e5:a4:24:32:9d:88:a0:4c:03:3c:0f: 3c:ca:e0:29:bc:2a:f7:fe:b5:b2:47:9f:0f:0d:3b: 61:d3 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 CRL Distribution Points: Full Name: URI:http://crl.godaddy.com/gdig2s1-20551.crl X509v3 Certificate Policies: Policy: 2.16.840.1.114413.1.7.23.1 CPS: http://certificates.godaddy.com/repository/ Policy: 2.23.140.1.2.1 Authority Information Access: OCSP - URI:http://ocsp.godaddy.com/ CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt X509v3 Authority Key Identifier: 40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE X509v3 Subject Alternative Name: DNS:softwareassuranceguardian.com <http://softwareassuranceguardian.com> , DNS:www.softwareassuranceguardian.com <http://www.softwareassuranceguardian.com> X509v3 Subject Key Identifier: 5F:9D:0A:95:E9:34:3A:90:CA:D5:70:40:1C:4F:86:FE:6A:C4:A7:7A CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 4E:75:A3:27:5C:9A:10:C3:38:5B:6C:D4:DF:3F:52:EB: 1D:F0:E0:8E:1B:8D:69:C0:B1:FA:64:B1:62:9A:39:DF Timestamp : Apr 25 07:09:29.840 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:82:F6:7D:A9:12:F6:01:C1:61:59:BE: B5:9C:C2:EA:76:29:7E:58:1C:02:6A:C0:4E:B5:AD:38: 0E:A1:CF:2E:02:02:20:42:C1:5A:DC:82:EB:A7:06:2B: 4E:1D:A6:3B:D8:5B:58:C5:C0:FE:47:B1:E9:52:1E:97: A2:D1:08:7E:B2:2E:A2 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 7D:59:1E:12:E1:78:2A:7B:1C:61:67:7C:5E:FD:F8:D0: 87:5C:14:A0:4E:95:9E:B9:03:2F:D9:0E:8C:2E:79:B8 Timestamp : Apr 25 07:09:29.996 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:20:21:15:32:E6:4C:23:F7:F2:1E:CC:9B: 15:5E:96:B7:C5:5E:D7:2C:1D:A8:9C:F8:2A:A1:25:40: A2:2F:72:A3:02:20:1F:12:62:C3:20:E4:FE:0A:6B:4F: 4A:BD:75:90:79:4A:BB:F4:A0:61:4C:C8:78:2C:45:B5: 3F:A1:E6:8B:AB:06 Signed Certificate Timestamp: Version : v1 (0x0) Log ID : CC:FB:0F:6A:85:71:09:65:FE:95:9B:53:CE:E9:B2:7C: 22:E9:85:5C:0D:97:8D:B6:A9:7E:54:C0:FE:4C:0D:B0 Timestamp : Apr 25 07:09:30.095 2024 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:3D:6A:C6:15:00:E4:0A:F6:82:68:E0:C9: 6A:F3:D6:6B:08:26:A9:EB:6B:5C:2D:B5:83:9E:F0:D4: 2B:B9:A2:1F:02:20:0F:92:85:20:FD:F6:A0:98:38:B3: 07:26:DB:F1:67:EB:CD:5B:3A:75:44:6E:60:D8:34:77: 7E:9C:59:BA:9C:18 Signature Algorithm: sha256WithRSAEncryption Signature Value: 6c:7e:67:10:ec:ec:a3:ed:7f:83:65:ec:fc:4b:9c:3d:d6:dd: 6c:35:1d:bb:de:fc:36:f8:7d:47:48:df:06:2e:94:50:53:0f: 15:bb:bd:6c:3e:3a:dd:cc:70:c0:a3:dc:00:4e:dc:fa:4d:ba: 3f:5b:2c:61:9e:8d:c5:74:8b:f7:85:ac:b4:cd:0c:b9:15:91: 3d:8d:ef:8d:59:2b:91:a2:63:e0:78:bd:19:8d:ad:37:2f:a2: fd:1e:1d:77:8d:98:01:ff:6e:00:0c:f4:70:b4:e2:dd:bb:57: 6e:61:ac:87:2b:02:bb:e9:1a:6a:6f:0e:82:b7:d0:a4:5c:38: bf:76:74:29:82:a3:32:d9:18:83:c9:21:4c:44:9d:c9:cb:fc: f1:0e:5e:da:3d:cd:69:1c:8a:ad:44:df:f2:d4:38:93:7b:ca: 61:49:3a:12:1c:84:71:2d:a3:db:d1:c0:09:9f:b7:ca:87:d1: 1a:a7:33:86:32:23:8f:15:9b:69:ed:38:3e:93:88:20:03:14: 22:84:b6:41:8f:a7:a3:78:30:40:82:53:2d:98:62:d4:38:42: 56:44:a4:cc:2b:a7:c7:f4:7c:81:12:f1:af:ce:66:3b:da:3c: 8f:67:15:a9:99:38:35:27:1f:65:85:88:23:96:d7:52:d7:66: 44:aa:ae:75 Jeff
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.html
