1

I have a client/server application where the server uses the HTTPS protocol and has address and port localhost:44301 .

The client application uses Python 2.7.13 on Windows platform to connect with server. This is the snippet code:

import platform, os
import requests, json, certifi, urllib3

def main():

my_c_folder = os.path.dirname('C:\Users\Admin\Desktop\cert')
my_pem = os.path.join('C:\Users\Admin\Desktop\cert', 'ce-lh.pem')
my_crt = os.path.join('C:\Users\Admin\Desktop\cert', 'ce-lh.crt')
my_key = os.path.join('C:\Users\Admin\Desktop\cert', 'ce.key')

http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED',ca_certs=my_crt)

h = http.request('GET','https://localhost:44301/api/myData',auth=('myUser', 'myPass'))
print h
r = requests.get('https://localhost:44301/api/myData',auth=('myUser', 'myPass'),  verify=my_crt)
print r


if __name__ == "__main__": 
    main()

Both http.request and requests call fail returning this error 

raise SSLError(e)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)

With OpenSSL (version 1.0.2k) I have previously created the certificate in this way:

  1. Generate the RSA: openssl genrsa -aes256 -out ce.key 2048 -config c:\Program Files\OpenSSL-Win 64\bin\openssl.cfg
  2. Create the certificate signing request: openssl req -new -key ce.key -out ce.csr
    Using this parameter: Common Name (e.g. server FQDN or YOUR name) []:localhost *
  3. Create the certificate: openssl x509 -req -days 365 -in ce.csr -signkey ce.key -out ce.crt
  4. Export in pem format: openssl x509 -in ce.crt -out ce.pem -outform PEM

Where am I wrong? How to exceed the certificate error? (I know that I can disable to verify the certificate but it isn't the target.)

Is it a Python implementation error? Or have I used OpenSSL with wrong commands? Or what else? Thanks in advance

Cyr
  • 111
  • 2
  • It would be much easier to troubleshoot if you also provide packet capture of a handshake. Also, have you tried "pip install --upgrade 'requests[security]'" – Kirill Sinitski Mar 22 '17 at 13:00
  • My guess that your self-signed certificate is missing the CA flag but I cannot be sure based on the current information. See [Does openssl refuse self signed certificates without basic constraints?](https://security.stackexchange.com/questions/143061/does-openssl-refuse-self-signed-certificates-without-basic-constraints) for more details. – Steffen Ullrich Mar 22 '17 at 13:22
  • @KirillSinitski: yes the package requests[security] is installed. What about the packet capturing? Do you suggest with python code or with external software? @SteffenUllrich: in my previous version I haven't configured the CA. Afterwards following this [link - create self sig](https://blog.kloud.com.au/2016/06/12/creating-openssl-self-signed-certs-on-windows/) I have create new certificates but it returns this error `Error: [('system library', 'fopen', 'Unknown error'), ('BIO routines', 'BIO_new_ file', 'system lib'), ('x509 certificate routines', 'X509_load_cert_crl_file', ' system lib')]` – Cyr Mar 22 '17 at 15:58
  • @Cyr Use Wireshark to capture traffic. – Kirill Sinitski Mar 22 '17 at 18:57

0 Answers0