Home/ Questions/Q 6595247
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-25T17:54:56+00:00

I’m trying to do a small secure HTTPS client for learning purposes and see

  • 0

I’m trying to do a small secure HTTPS client for learning purposes and see how all the mechanics of SSL works on a higher level for now, so i’m trying to convert a simple socket into a ssl via ssl.wrap_socket.

I probably got the whole concept backwards but, here’s what i’m doing:

s.connect((host, port))
if port == 443:
    f = open('cacerts.txt', 'r')
    calist = f.read()
    f.close()
    ca = ssl.get_server_certificate((host, port), ssl_version=ssl.PROTOCOL_SSLv3|ssl.PROTOCOL_TLSv1)
    if not ca in calist:
        f = open('cacerts.txt', 'a')
        f.write(ca)
        f.close()
    s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv3|ssl.PROTOCOL_TLSv1, cert_reqs=ssl.CERT_REQUIRED, ca_certs="cacerts.txt")
    s.do_handshake()

And when i call do_handshake() i get this:

Traceback (most recent call last):
  File "SSL_test.py", line 84, in Requester
    s = ssl.wrap_socket(s, ssl_version=ssl.PROTOCOL_SSLv3|ssl.PROTOCOL_TLSv1, cert_reqs=ssl.CERT_REQUIRED, ca_certs="cacerts.txt")
  File "C:\Python26\lib\ssl.py", line 338, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "C:\Python26\lib\ssl.py", line 120, in __init__
    self.do_handshake()
  File "C:\Python26\lib\ssl.py", line 279, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:490: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

I’ve searched around for a while and tried for find something that would be close to what i do, but everyone points to either PyOpenSSL or Twisted and i’d prefer if i could stay out of those libraries, mainly because later on i’m planing on bringing this into a sharp production environment where i’m only allowed to use the built in libraries of Python2.6.

Any help would be greatful!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The problem here is that you can’t validate a certificate with itself (that is what you are trying to do) unless it is self-signed, and has a CA bit set. You should add a real CA certificate of the web site to the cacerts.txt file. Another alternative (something like “connect anyway” in a web browser) is to drop the cert_reqs to ssl.CERT_NONE after you get such exception, and understand that there could possibly be a man in the middle. This is not the ssl module issue, this is how SSL/X.509 work.

    • 0