Thanks! That's probably fine for now -- it means the standard library doesn't know where the root certificates are. We had a huge discussion about this over on python-tulip: https://groups.google.com/forum/#!topic/python-tulip/c_lqdFjPEbE
TL;DR: The stdlib openssl wrapper ought to know where each platform stores its root certificates and automatically use them, but it currently doesn't always. Users who really don't care but still want to use SSL must create an SSL context with verify_mode set to ssl.CERT_NONE (and live with the risk, obviously). This stuff passes on OS X only because there's a system openssl library that always uses the system root certificates. If anyone can help fixing the ssl.py module (or the _ssl extension) so that sslcontext.set_default_verify_paths() uses the system root certs on Windows that would be a huge help. (I have tried this on an Ubuntu box too, and there it actually works.) On Fri, Oct 18, 2013 at 3:42 PM, Richard Oudkerk <shibt...@gmail.com> wrote: > On 18/10/2013 10:37pm, Guido van Rossum wrote: > >> Good sleuthing! Does the attached patch fix it? >> >> (Off-topic: the code is pretty inconsistent about catching >> BaseException. Maybe it shouldn't be caught at all?) >> > > It fixes it in the sense of printing a sensible traceback;-) > > $ PYTHONPATH='c:/Repos/tulip' /c/Repos/cpython-33/PCbuild/**python > fetch3.py http://dropbox.com -v > * Connecting to dropbox.com:80 using tcp > * dropbox.com resolves to 108.160.165.62, 108.160.166.62, 199.47.216.179, > 199.47.217.179 > * New connection ('108.160.165.62', 80, False) > * Connected to ('108.160.165.62', 80) > > GET / HTTP/1.1 > > Host: dropbox.com > > > < HTTP/1.1 301 Moved Permanently > < Server: nginx > < Date: Fri, 18 Oct 2013 22:40:13 GMT > < Content-Type: text/html > < Content-Length: 178 > < Connection: keep-alive > < Location: https://dropbox.com/ > < > redirect to https://dropbox.com/ > * Connecting to dropbox.com:443 using ssl > * dropbox.com resolves to 108.160.165.62, 108.160.166.62, 199.47.216.179, > 199.47.217.179 > > Traceback (most recent call last): > File "fetch3.py", line 211, in <module> > main() > File "fetch3.py", line 206, in main > > body = loop.run_until_complete(fetch(**sys.argv[1], '-v' in sys.argv)) > File "c:\Repos\tulip\asyncio\base_**events.py", line 177, in > run_until_complete > return future.result() > File "c:\Repos\tulip\asyncio\**futures.py", line 221, in result > raise self._exception > File "c:\Repos\tulip\asyncio\tasks.**py", line 257, in _step > result = coro.throw(exc) > File "fetch3.py", line 192, in fetch > yield from request.connect(pool) > File "fetch3.py", line 80, in connect > ssl=self.ssl) > File "fetch3.py", line 36, in open_connection > reader, writer = yield from open_connection(host, port, ssl=ssl) > File "c:\Repos\tulip\asyncio\**streams.py", line 41, in open_connection > lambda: protocol, host, port, **kwds) > File "c:\Repos\tulip\asyncio\base_**events.py", line 356, in > create_connection > yield from waiter > File "c:\Repos\tulip\asyncio\**futures.py", line 318, in __iter__ > yield self # This tells Task to wait for completion. > File "c:\Repos\tulip\asyncio\tasks.**py", line 308, in _wakeup > value = future.result() > File "c:\Repos\tulip\asyncio\**futures.py", line 221, in result > raise self._exception > File "c:\Repos\tulip\asyncio\**selector_events.py", line 579, in > _on_handshake > self._sock.do_handshake() > File "C:\Repos\cpython-33\lib\ssl.**py", line 520, in do_handshake > self._sslobj.do_handshake() > ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed > (_ssl.c:553) > > -- > Richard > -- --Guido van Rossum (python.org/~guido)
_______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
