On 18/10/2017 22:37, Gregory Szorc wrote:
The latter merely requires an up-to-date trusted CA certificate roots bundle for x509 certificate verification (assuming the client does certificate validation properly - which older versions of Python don't unless configured to do so - Python's default security story was a mess until relatively recently).
On Windows builders for Servo’s buildbot CI we have Python v2.7.12:d33e0cf91556 with ssl.HAS_SNI == True. Connecting to https://static-rust-lang-org.s3.amazonaws.com/ works fine, but connecting to https://static.rust-lang.org/ (a CloudFront hostname) causes:
URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
On https://www.ssllabs.com/ssltest/analyze.html?d=static.rust-lang.org&s=54.192.142.81&latest (picking one the first IP address listed), everything in "certification path" is either "sent by server" or "in trust store".
Gregory, do you have an idea what could be wrong here? -- Simon Sapin _______________________________________________ dev-servo mailing list dev-servo@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-servo
