#32 Python 2.7.9 rejects https://setup.myharmony.com

[Chris Mayo]

Python 2.7.9 checks https certificates by default
https://docs.python.org/2.7/whatsnew/2.7.html#pep-476-enabling-certificate-verification-by-default-for-stdlib-http-clients

and https://setup.myharmony.com currently fails because its certificate logs have not been published.
http://www.certificate-transparency.org/what-is-ct
(show by opening in Google Chrome)

Patch attached that disables the certificate check.

N.B. This patch will only work with Python 2.7.9 or greater.
urllib2.urlopen(url[, data[, timeout[, cafile[, capath[, cadefault[, context]]]]]
Changed in version 2.7.9: cafile, capath, cadefault, and context were added.
https://docs.python.org/2/library/urllib2.html#module-urllib2

[Scott Talbert]

Thanks for the report. I'm not seeing any issue on Fedora Rawhide w/ Python 2.7.9, though. I'm wondering if they disabled the certificate check? What distro are you using?

[Chris Mayo]

I'm using Gentoo.

My problem. It occurs with their certificate collection:
app-misc/ca-certificates-20141019.3.17.4

Going back to:
app-misc/ca-certificates-20140927.3.17.2

and it works fine. Please close.

[Scott Talbert]

I want to look into this a little more before closing. I tried on Debian Unstable, which also has ca-certificates-20141019 and Python 2.7.9, but there was no problem there either. It looks like some Thawte certificates got removed in 20141019, so maybe that's what caused the problem.

[Chris Mayo]

Maybe as described here:
https://bugs.gentoo.org/show_bug.cgi?id=544276

I have openssl-1.0.1l

[Scott Talbert]

I'm confused. On Debian Unstable (w/ openssl 1.0.2a, ca-certificates 20141019, and python 2.7.9), openssl seems to complain but connects anyway:

openssl s_client -connect setup.myharmony.com:443
...
Verify return code: 20 (unable to get local issuer certificate)

Python seems happy:
talbert@debian-unstable:~/git-congruity$ python
Python 2.7.9 (default, Apr 29 2015, 18:34:06)
[GCC 4.9.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.

import urllib2
urllib2.urlopen("https://setup.myharmony.com/")
<addinfourl at="" 139836788315200="" whose="" fp="&lt;socket._fileobject" object="" at="" 0x7f2e4c541bd0="">>

What errors do openssl and python show on Gentoo with 20141019 certificates?

[Chris Mayo]

Description of how the Gentoo certifcates are created from Debian ones:
https://sources.gentoo.org/cgi-bin/viewvc.cgi/gentoo-x86/app-misc/ca-certificates/ca-certificates-20141019.3.17.4.ebuild?revision=1.1&view=markup#l5

I created my own package, app-misc/ca-certificates-20141019, which uses the Debian certificates unmodified and works fine.

Results below all with dev-libs/openssl-1.0.1l-r1
and ca.py:

1 2 3

#!/usr/bin/python2 import urllib2 urllib2.urlopen("https://setup.myharmony.com/")

app-misc/ca-certificates-20140927.3.17.2

openssl s_client -connect setup.myharmony.com:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA
verify return:1
depth=0 C = US, ST = California, L = Newark, O = Logitech Inc., OU = IDC, CN = *.myharmony.com
verify return:1

---

Certificate chain
0 s:/C=US/ST=California/L=Newark/O=Logitech Inc./OU=IDC/CN=*.myharmony.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

---

...
Verify return code: 0 (ok)

$ ./ca.py
[No Output]

app-misc/ca-certificates-20141019.3.17.4

$ openssl s_client -connect setup.myharmony.com:443
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify error:num=20:unable to get local issuer certificate
verify return:0

---

Certificate chain
0 s:/C=US/ST=California/L=Newark/O=Logitech Inc./OU=IDC/CN=*.myharmony.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

---

...
Verify return code: 20 (unable to get local issuer certificate)

$ ./ca.py
...
urllib2.URLError: <urlopen error="" <span="">[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>

app-misc/ca-certificates-20141019

$ openssl s_client -connect setup.myharmony.com:443
CONNECTED(00000003)
depth=3 C = ZA, ST = Western Cape, L = Cape Town, O = Thawte Consulting cc, OU = Certification Services Division, CN = Thawte Premium Server CA, emailAddress = premium-server@thawte.com
verify return:1
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA
verify return:1
depth=0 C = US, ST = California, L = Newark, O = Logitech Inc., OU = IDC, CN = *.myharmony.com
verify return:1

---

Certificate chain
0 s:/C=US/ST=California/L=Newark/O=Logitech Inc./OU=IDC/CN=*.myharmony.com
i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

---

...
Verify return code: 0 (ok)

$ ./ca.py
[No Output]

[Scott Talbert]

Have you run into any more SSL problems with setup.myharmony.com? Is there anything we need to do here?

[Chris Mayo]

All seems to be fine now, even with ca-certificates-20141019.3.17.4:

$ openssl s_client -connect setup.myharmony.com:443
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
verify return:1
depth=1 C = US, O = "Thawte, Inc.", CN = Thawte SSL CA
verify return:1
depth=0 C = US, ST = California, L = Newark, O = Logitech Inc., OU = IDC, CN = *.myharmony.com
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=California/L=Newark/O=Logitech Inc./OU=IDC/CN=*.myharmony.com
   i:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
 1 s:/C=US/O=Thawte, Inc./CN=Thawte SSL CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
   i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com
---
...
    Verify return code: 0 (ok)
---

this is now openssl-1.0.2e

[Scott Talbert]

OK, closing the issue. Happy New Year!