stackoom
  简体   繁体   中英

how to find self signed certificate

 原文  2018-04-13 22:14:48       python/ ssl/ openssl/ web/ certificate

Question

I'm confused about website certificate verification. Please see details below:

Connection to the website(www.bitstamp.net) with python urllib2 threw: 

urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

curl gave a similar error: 

$ curl https://www.bitstamp.net
curl: (60) SSL certificate problem: self signed certificate in certificate chain

However, openssl shows each certificate verified (assuming "1" means verified): 

$ openssl s_client -showcerts -connect www.bitstamp.net:443
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Hosted by Incapsula Inc, OU = PositiveSSL Multi-Domain, CN = incapsula.com
verify return:1

What's going on here? Is there a "self signed certificate" as claimed by curl? If so, which one?

1 answers

solution1
 0  2018-04-17 08:01:15

There are couple of symptoms of this behavior. Let's start with first issue.

self-signed certificate in chain error: this is true and also a valid case. Because every root certificate authority is self-signed. In your case AddTrust is self-signed. This may indicate that certificate authorities are not recognized by curl/libssl or other client. As you said openssl s_client verified certificate. In many linux distros it is located under /etc/ssl/certs. Yours may be different or you may need to update them. You should also define location of these CAs to the library (even in libssl - SSL_CTX_load_verify_locations)

SNI based problem indicates that target server is serving multiple TLS/SSL based sites on the same host/ip. Without explicit SNI specification server is responding with any one (i am not sure about the selection algoritm, may be random or first one).

Both cases seem to be valid to me because of these reasons.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to create a self signed certificate use Python and Flask How to get Python requests to trust a self signed SSL certificate? How to restrict access by using a self-signed certificate? how to publish msg to rabbitmq server with self signed certificate with python pika? How to run Aiogram webhook with self-signed ssl certificate? How to let PyCharm accept my self-signed SSL certificate? How to authenticate self signed certificate with password using Python requests Python, OpenSSL: self-signed certificate generation ssl with self signed certificate using python Trusting self signed certificate with Python requests
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM