bad certificate error

[jakecjacobson]

Hi,

I am getting the following error when doing a post to REST API,

Enter PEM pass phrase:
Traceback (most recent call last):
File "./ices_catalog_feeder.py", line 193, in ?
main(sys.argv[1])
File "./ices_catalog_feeder.py", line 60, in main
post2Catalog(catalog_host, catalog_port, catalog_path, os.path.join
(input_dir, file), collection_name, key_file, cert_file)
File "./ices_catalog_feeder.py", line 125, in post2Catalog
connection.request('POST', path, parameters, head)
File "/usr/lib/python2.4/httplib.py", line 810, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.4/httplib.py", line 833, in _send_request
self.endheaders()
File "/usr/lib/python2.4/httplib.py", line 804, in endheaders
self._send_output()
File "/usr/lib/python2.4/httplib.py", line 685, in _send_output
self.send(msg)
File "/usr/lib/python2.4/httplib.py", line 652, in send
self.connect()
File "/usr/lib/python2.4/httplib.py", line 1079, in connect
ssl = socket.ssl(sock, self.key_file, self.cert_file)
File "/usr/lib/python2.4/socket.py", line 74, in ssl
return _realssl(sock, keyfile, certfile)
socket.sslerror: (1, 'error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate')


My code where this error occurs is:

head = {"Content-Type" : "application/x-www-form-urlencoded",
"Accept" : "text/plain"}
parameters = urlencode({"collection" : collection, "entryxml" : open
(file,'r').read()})
print "Sending the file to: " + host

try:
try:
# Default port is 443.
# key_file is the name of a PEM formatted file that contains your
private key.
# cert_file is a PEM formatted certificate chain file.
connection = httplib.HTTPSConnection(host, int(port), key_file,
cert_file)
connection.request('POST', path, parameters, head)
response = connection.getresponse()
print response.status, response.reason
except httplib.error, (value,message):
print value + ':' + message
finally:
connection.close()

I was wondering if this is due to the server having a invalid server
cert? If I go to this server in my browser, I get a "This server
tried to identify itself with invalid information". Is there a way to
ignore this issue with Python? Can I setup a trust store and add this
server to the trust store?

 

[Gabriel Genellina]

En Mon, 27 Jul 2009 12:57:40 -0300, jakecjacobson

I was wondering if this is due to the server having a invalid server
cert? If I go to this server in my browser, I get a "This server
tried to identify itself with invalid information". Is there a way to
ignore this issue with Python? Can I setup a trust store and add this
server to the trust store?

I don't see the point in trusting someone that you know is telling lies
about itself.

 

[jakecjacobson]

En Mon, 27 Jul 2009 12:57:40 -0300, jakecjacobson  


I don't see the point in trusting someone that you know is telling lies  
about itself.

It is a test box that the team I am on runs. That is why I would
trust it.

 

[Steven D'Aprano]

En Mon, 27 Jul 2009 12:57:40 -0300, jakecjacobson


I don't see the point in trusting someone that you know is telling lies
about itself.

Don't you? It's just commonsense risk assessment.

It's far more likely that the server has an incorrectly setup certificate
managed by an incompetent sys admin than it is that somebody is eaves-
dropping on my connection to https://somerandom.site.com/something-trivial

Particularly when the connection is on my own intranet and I know the sys
admin in question has made a mistake and the new certificate is scheduled
to be installed "some time next week". *wink*

Of course, if there was sensitive information involved, or money, then
I'd be more concerned.

 

[Gabriel Genellina]

En Mon, 27 Jul 2009 15:52:08 -0300, jakecjacobson

It is a test box that the team I am on runs. That is why I would
trust it.

I'd fix the certificate issue on the server. Or use plain HTTP if it's
just for testing.

 

[Gabriel Genellina]

En Mon, 27 Jul 2009 20:00:27 -0300, Steven D'Aprano

Don't you? It's just commonsense risk assessment.

It's far more likely that the server has an incorrectly setup certificate
managed by an incompetent sys admin than it is that somebody is eaves-
dropping on my connection to
https://somerandom.site.com/something-trivial

Fire the sys admin then
I don't see the point on "fixing" either the Python script or httplib to
accomodate for an invalid server certificate... If it's just for internal
testing, I'd use HTTP instead (at least until the certificate is fixed).

 

[jakecjacobson]

 I am getting the following error when doing a post to REST API,

 Enter PEM pass phrase:
 Traceback (most recent call last):
   File "./ices_catalog_feeder.py", line 193, in ?
     main(sys.argv[1])
   File "./ices_catalog_feeder.py", line 60, in main
     post2Catalog(catalog_host, catalog_port, catalog_path, os.path.join
 (input_dir, file), collection_name, key_file, cert_file)
   File "./ices_catalog_feeder.py", line 125, in post2Catalog
     connection.request('POST', path, parameters, head)
   File "/usr/lib/python2.4/httplib.py", line 810, in request
     self._send_request(method, url, body, headers)
   File "/usr/lib/python2.4/httplib.py", line 833, in _send_request
     self.endheaders()
   File "/usr/lib/python2.4/httplib.py", line 804, in endheaders
     self._send_output()
   File "/usr/lib/python2.4/httplib.py", line 685, in _send_output
     self.send(msg)
   File "/usr/lib/python2.4/httplib.py", line 652, in send
     self.connect()
   File "/usr/lib/python2.4/httplib.py", line 1079, in connect
     ssl = socket.ssl(sock, self.key_file, self.cert_file)
   File "/usr/lib/python2.4/socket.py", line 74, in ssl
     return _realssl(sock, keyfile, certfile)
 socket.sslerror: (1, 'error:14094412:SSL
 routines:SSL3_READ_BYTES:sslv3 alert bad certificate')

 My code where this error occurs is:

 head = {"Content-Type" : "application/x-www-form-urlencoded",
 "Accept" : "text/plain"}
 parameters = urlencode({"collection" : collection, "entryxml" : open
 (file,'r').read()})
 print "Sending the file to: " + host

 try:
   try:
           # Default port is 443.
           # key_file is the name of a PEM formatted file that contains your
 private key.
           # cert_file is a PEM formatted certificate chain file.
           connection = httplib.HTTPSConnection(host, int(port), key_file,
 cert_file)
           connection.request('POST', path, parameters, head)
           response = connection.getresponse()
           print response.status, response.reason
   except httplib.error, (value,message):
           print value + ':' + message
 finally:
   connection.close()

 I was wondering if this is due to the server having a invalid server
 cert?

I'd say judging from the traceback you messed up key_file or cert_file
somehow.

Try using the openssl binary on them (read the man page to see how!)
to check them out.

 If I go to this server in my browser, I get a "This server tried to
 identify itself with invalid information".  Is there a way to
 ignore this issue with Python?  Can I setup a trust store and add
 this server to the trust store?

Invalid how?  Self signed certificate? Domain mismatch? Expired certificate?

Nick,

Thanks for the help on this. I will check my steps on openssl again
and see if I messed up. What I tried to do was:
1. Save my PKI cert to disk. It was saved as a P12 file
2. Use openssl to convert it to the needed .pem file type
3. Saved the CA that my cert was signed by as a .crt file

These are the 2 files that I was using for key_file and
* cert_file -> CA
* key_file -> my PKI cert converted to a .pem file

"Invalid how? Self signed certificate? Domain mismatch? Expired
certificate?" It is a server name mismatch.

For everyone that wants to discuss why we shouldn't do this, great but
I can't change the fact that I need to do this. I can't use http or
even get a correct cert at this time. This is a quick a dirty project
to demonstrate capability. I need something more than slide show
briefs.

 

[Steven D'Aprano]

I don't see the point on "fixing" either the Python script or httplib to
accomodate for an invalid server certificate... If it's just for
internal testing, I'd use HTTP instead (at least until the certificate
is fixed).

In real life, sometimes you need to drive with bad brakes on your car,
walk down dark alleys in the bad part of town, climb a tree without a
safety line, and use a hammer without wearing goggles. We can do all
these things.

The OP has said that, for whatever reason, he needs to ignore a bad
server certificate when connecting to HTTPS. Python is a language where
developers are allowed to shoot themselves in the foot, so long as they
do so in full knowledge of what they're doing.

So, putting aside all the millions of reasons why the OP shouldn't accept
an invalid certificate, how can he accept an invalid certificate?

 

[Gabriel Genellina]

En Tue, 28 Jul 2009 09:02:40 -0300, Steven D'Aprano

In real life, sometimes you need to drive with bad brakes on your car,
walk down dark alleys in the bad part of town, climb a tree without a
safety line, and use a hammer without wearing goggles. We can do all
these things.

The OP has said that, for whatever reason, he needs to ignore a bad
server certificate when connecting to HTTPS. Python is a language where
developers are allowed to shoot themselves in the foot, so long as they
do so in full knowledge of what they're doing.

So, putting aside all the millions of reasons why the OP shouldn't accept
an invalid certificate, how can he accept an invalid certificate?

Yes, I understand the situation, but I'm afraid there is no way (that I
know of). At least not without patching _ssl.c; all the SSL negotiation is
handled by the OpenSSL library itself.

I vaguely remember a pure Python SSL implementation somewhere that perhaps
could be hacked to bypass all controls. But making it work properly will
probably require a lot more effort than installing a self signed
certificate in the server...

 

[jakecjacobson]

En Tue, 28 Jul 2009 09:02:40 -0300, Steven D'Aprano  
<[email protected]> escribió:







Yes, I understand the situation, but I'm afraid there is no way (that I  
know of). At least not without patching _ssl.c; all the SSL negotiation is  
handled by the OpenSSL library itself.

I vaguely remember a pure Python SSL implementation somewhere that perhaps  
could be hacked to bypass all controls. But making it work properly will  
probably require a lot more effort than installing a self signed  
certificate in the server...

I have it working and I want to thank everyone for their efforts and
very helpful hints. The error was with me and not understanding the
documentation about the cert_file & key_file. After using openssl to
divide up my p12 file into a cert file and a key file using the
instructions http://security.ncsa.uiuc.edu/research/grid-howtos/usefulopenssl.php.
I got everything working.

Again, much thanks.

Jake

 

[John Nagle]

Hi,

I am getting the following error when doing a post to REST API,

Enter PEM pass phrase:
Traceback (most recent call last):
File "./ices_catalog_feeder.py", line 193, in ?
main(sys.argv[1])
File "./ices_catalog_feeder.py", line 60, in main
post2Catalog(catalog_host, catalog_port, catalog_path, os.path.join
(input_dir, file), collection_name, key_file, cert_file)
File "./ices_catalog_feeder.py", line 125, in post2Catalog
connection.request('POST', path, parameters, head)
File "/usr/lib/python2.4/httplib.py", line 810, in request
self._send_request(method, url, body, headers)
File "/usr/lib/python2.4/httplib.py", line 833, in _send_request
self.endheaders()
File "/usr/lib/python2.4/httplib.py", line 804, in endheaders
self._send_output()
File "/usr/lib/python2.4/httplib.py", line 685, in _send_output
self.send(msg)
File "/usr/lib/python2.4/httplib.py", line 652, in send
self.connect()
File "/usr/lib/python2.4/httplib.py", line 1079, in connect
ssl = socket.ssl(sock, self.key_file, self.cert_file)
File "/usr/lib/python2.4/socket.py", line 74, in ssl
return _realssl(sock, keyfile, certfile)
socket.sslerror: (1, 'error:14094412:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad certificate')

What SSL implementation are you using? The old one from Python 2.4
doesn't even check the certificate chain. M2Crypto does, and the new
SSL module does, but in each case you have to provide a root certificate
file. (The one from Mozilla is available.)

John Nagle