Skip to content

sslcontext/urlopen on CA cert: Empty Subject Alternative Name extension #132210

New issue
New issue
Open
Open
sslcontext/urlopen on CA cert: Empty Subject Alternative Name extension#132210
Labels
extension-modulesC modules in the Modules dirpendingThe issue will be closed if no feedback is providedtopic-SSLtype-bugAn unexpected behavior, bug, or error
@dimaqq

Description

@dimaqq
dimaqq
opened on Apr 7, 2025

Bug report

Bug description:

Version info:

  • Python 3.12
  • Ubuntu 24.04
  • amd64

Here is the certificate chain that the server presents:

server cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6b:ea:ea:44:21:43:12:26:e8:56:88:da:e8:fe:19:94:36:6b:24:5d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = self-signed-certificates-operator
        Validity
            Not Before: Apr  7 07:45:31 2025 GMT
            Not After : Jul  6 07:45:31 2025 GMT
        Subject: CN = 10.43.45.0, x500UniqueIdentifier = 5af5937b-7f98-4b6d-b53d-ff63e7778f5b
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:66:62:74:48:ef:9c:91:b9:e1:64:31:41:56:
                    0d:b4:a6:6c:38:e3:a5:be:6f:49:4f:fc:54:00:f6:
                    6b:90:92:01:4f:53:07:dc:23:b3:7e:e9:00:6e:ad:
                    a3:d1:64:d8:be:af:39:ae:76:c9:eb:83:25:2f:95:
                    27:3f:39:13:49:eb:5d:2c:9b:2a:d4:fe:84:a9:ad:
                    21:5f:12:d5:05:e9:74:f0:04:c9:2d:4c:24:f6:24:
                    64:6a:f8:70:ad:54:47:b0:70:50:18:8f:5a:01:fd:
                    1c:6f:27:cb:20:a8:31:c4:6e:8f:07:a1:34:b7:03:
                    bd:6c:44:90:b0:13:dd:ba:44:7a:b9:fa:6d:ee:f9:
                    92:4b:0d:1d:39:58:ce:c8:16:03:2b:fd:f9:20:88:
                    64:d3:3e:3c:19:5b:a5:56:a2:a8:3d:74:94:f9:1a:
                    41:5f:36:dd:6a:af:fe:a1:47:7b:74:19:a2:a1:df:
                    bd:11:e7:4c:5d:9b:7c:71:68:91:dd:32:6c:2f:df:
                    cb:bc:2a:0a:eb:f8:5a:13:ca:dd:32:ec:50:d3:6c:
                    8b:22:5a:97:a8:7e:93:46:81:18:ce:8f:6b:64:c9:
                    50:19:bc:dc:82:89:29:5d:c5:bc:5e:b2:a9:3b:76:
                    44:6d:17:f1:47:0e:aa:99:47:f8:7c:5f:65:ad:94:
                    d1:43
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                04:14:85:B0:CB:F4:5B:0F:01:70:4B:C7:EB:38:FD:80:F0:70:3C:EC:00:6E
            X509v3 Subject Key Identifier:
                EF:41:F8:D9:34:A7:6C:86:85:35:65:0C:4A:C6:7B:D0:D1:7D:16:2C
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name:
                IP Address:10.43.45.0
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        42:d9:22:4a:b6:49:f3:c4:c3:38:eb:d5:0f:f6:f4:cd:95:17:
        9f:4b:79:9b:e8:1c:5b:28:ec:7f:75:76:eb:48:75:0f:f2:81:
        e8:1d:2f:84:7d:6b:ae:a2:17:e2:af:a2:06:3e:97:39:fa:51:
        55:07:12:64:c8:a6:fb:bc:d2:46:50:18:8a:e1:81:d9:04:f7:
        f7:05:a6:f9:3e:38:13:b1:b0:32:e9:80:81:f3:0a:a6:9d:30:
        3a:6a:78:d8:f0:9d:99:f4:0f:c6:83:05:64:0c:cd:12:9d:fb:
        2d:54:59:d8:fc:27:a3:e6:15:ab:09:b4:c9:2a:5b:64:a4:a4:
        eb:ce:0c:ff:be:8a:4f:80:7c:1c:51:ae:0e:85:4a:c4:98:a4:
        37:fa:5e:79:d9:dc:7a:44:33:16:af:42:a4:eb:14:43:40:c6:
        c4:38:19:15:ab:d2:c6:dc:85:47:4c:9d:bc:f2:9e:32:2b:2e:
        08:19:23:4d:38:f0:93:38:b8:57:64:d4:cc:df:7f:f3:ae:68:
        6a:11:19:a9:6a:b0:e0:91:21:3a:9b:dc:fc:17:c3:da:44:d2:
        ff:b6:aa:c9:99:60:b7:93:06:cd:8f:6d:93:f6:40:cc:5e:fc:
        8d:c3:e6:33:e5:26:8a:95:ac:06:7d:c1:d1:14:a3:ba:7a:f2:
        ee:47:e0:05
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIUa+rqRCFDEiboVoja6P4ZlDZrJF0wDQYJKoZIhvcNAQEL
BQAwLDEqMCgGA1UEAwwhc2VsZi1zaWduZWQtY2VydGlmaWNhdGVzLW9wZXJhdG9y
MB4XDTI1MDQwNzA3NDUzMVoXDTI1MDcwNjA3NDUzMVowRDETMBEGA1UEAwwKMTAu
NDMuNDUuMDEtMCsGA1UELQwkNWFmNTkzN2ItN2Y5OC00YjZkLWI1M2QtZmY2M2U3
Nzc4ZjViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxWZidEjvnJG5
4WQxQVYNtKZsOOOlvm9JT/xUAPZrkJIBT1MH3COzfukAbq2j0WTYvq85rnbJ64Ml
L5UnPzkTSetdLJsq1P6Eqa0hXxLVBel08ATJLUwk9iRkavhwrVRHsHBQGI9aAf0c
byfLIKgxxG6PB6E0twO9bESQsBPdukR6ufpt7vmSSw0dOVjOyBYDK/35IIhk0z48
GVulVqKoPXSU+RpBXzbdaq/+oUd7dBmiod+9EedMXZt8cWiR3TJsL9/LvCoK6/ha
E8rdMuxQ02yLIlqXqH6TRoEYzo9rZMlQGbzcgokpXcW8XrKpO3ZEbRfxRw6qmUf4
fF9lrZTRQwIDAQABo2MwYTAhBgNVHSMEGjAYgBYEFIWwy/RbDwFwS8frOP2A8HA8
7ABuMB0GA1UdDgQWBBTvQfjZNKdshoU1ZQxKxnvQ0X0WLDAMBgNVHRMBAf8EAjAA
MA8GA1UdEQQIMAaHBAorLQAwDQYJKoZIhvcNAQELBQADggEBAELZIkq2SfPEwzjr
1Q/29M2VF59LeZvoHFso7H91dutIdQ/ygegdL4R9a66iF+KvogY+lzn6UVUHEmTI
pvu80kZQGIrhgdkE9/cFpvk+OBOxsDLpgIHzCqadMDpqeNjwnZn0D8aDBWQMzRKd
+y1UWdj8J6PmFasJtMkqW2SkpOvODP++ik+AfBxRrg6FSsSYpDf6XnnZ3HpEMxav
QqTrFENAxsQ4GRWr0sbchUdMnbzynjIrLggZI0048JM4uFdk1Mzff/OuaGoRGalq
sOCRITqb3PwXw9pE0v+2qsmZYLeTBs2PbZP2QMxe/I3D5jPlJoqVrAZ9wdEUo7p6
8u5H4AU=
-----END CERTIFICATE-----

the CA cert

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            67:09:35:a9:66:2e:59:97:de:c4:f6:8f:ad:fa:bc:c7:db:f8:5e:f4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = self-signed-certificates-operator
        Validity
            Not Before: Apr  7 07:44:16 2025 GMT
            Not After : Apr  7 07:44:16 2026 GMT
        Subject: CN = self-signed-certificates-operator
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:53:7b:47:82:16:39:10:60:df:0b:dc:09:59:
                    a7:b5:4f:21:a5:ea:9a:e4:6c:dd:0c:23:88:23:48:
                    b6:3c:be:55:48:4e:e1:9f:ca:7d:ef:da:b8:20:8c:
                    35:74:d4:74:c9:89:09:8f:fe:79:ac:a5:73:96:07:
                    56:d3:1b:c0:55:fe:2c:1c:d6:21:a2:cb:33:7f:31:
                    50:c0:92:5e:cc:fe:50:a7:90:28:7e:89:65:58:60:
                    aa:dc:cb:f2:06:74:86:c1:fc:37:dd:a6:79:bb:3d:
                    d2:06:62:6b:96:d4:e3:ae:9a:8f:ea:65:a5:16:48:
                    1d:ec:c7:b5:eb:db:b0:5f:36:d1:b6:91:d3:07:3b:
                    d7:53:f5:82:0e:99:e9:6b:7f:19:5f:c0:21:5d:55:
                    0f:12:2f:06:04:d7:9a:59:6d:fd:eb:59:54:ff:53:
                    ea:b1:6b:ac:2d:f7:98:11:84:5a:4e:76:c3:a5:4c:
                    a3:40:06:48:30:e6:3b:df:61:8b:2b:63:20:55:7c:
                    f3:cd:4f:dd:b2:e7:f6:be:75:6b:60:a8:9f:35:4f:
                    d3:7f:e9:af:8f:5b:21:6c:90:44:2a:a0:15:44:92:
                    4b:87:0a:5d:05:80:d1:d1:fa:59:f5:cf:25:d2:d0:
                    c7:2e:94:a8:9d:58:6c:b9:38:8a:f8:31:2d:1e:cb:
                    e9:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                <EMPTY>

            X509v3 Subject Key Identifier:
                04:14:85:B0:CB:F4:5B:0F:01:70:4B:C7:EB:38:FD:80:F0:70:3C:EC:00:6E
            X509v3 Authority Key Identifier:
                04:14:85:B0:CB:F4:5B:0F:01:70:4B:C7:EB:38:FD:80:F0:70:3C:EC:00:6E
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        82:5f:7a:46:90:e2:d6:70:6a:8d:56:5a:25:92:6c:32:48:4c:
        56:6c:86:8a:23:47:c3:cd:25:86:b5:7f:ba:f8:dc:40:02:65:
        a1:9c:41:d9:b8:c6:2a:5b:bd:84:18:4b:0d:f8:f8:5b:1a:c5:
        e1:eb:29:58:b1:ed:1c:4c:6d:1f:78:ab:b7:bb:b4:d0:25:28:
        0f:f3:4d:17:f2:60:fd:42:b9:b6:4a:7d:71:48:4d:d6:5f:a2:
        b1:2c:6b:bf:5b:00:6e:44:f1:8e:c9:a9:98:af:cf:ac:e1:cf:
        e2:f2:22:fc:0a:73:3a:34:5f:b2:ab:9f:5f:79:11:85:fe:11:
        e3:ee:62:c7:1f:65:34:51:c6:85:78:6f:24:a6:ed:cb:59:8b:
        d8:f7:d3:bf:84:f4:a1:4b:33:57:3c:24:b7:df:d1:c8:62:92:
        dd:f5:d4:8d:06:71:da:4f:26:3e:0b:94:54:0e:16:22:7e:70:
        32:0d:7a:3b:1e:b7:ee:d6:8d:79:3e:0e:0f:74:a2:a9:f8:0d:
        74:68:c6:f6:79:03:3d:76:15:2e:fa:1a:69:34:4e:21:40:fb:
        ef:ac:49:43:50:61:9c:c5:c2:b4:8d:16:ba:d1:3c:e3:03:46:
        da:6e:68:55:a3:67:0e:ab:ce:98:1b:b6:55:a6:b2:c2:0b:35:
        36:ad:ce:36
-----BEGIN CERTIFICATE-----
MIIDWDCCAkCgAwIBAgIUZwk1qWYuWZfexPaPrfq8x9v4XvQwDQYJKoZIhvcNAQEL
BQAwLDEqMCgGA1UEAwwhc2VsZi1zaWduZWQtY2VydGlmaWNhdGVzLW9wZXJhdG9y
MB4XDTI1MDQwNzA3NDQxNloXDTI2MDQwNzA3NDQxNlowLDEqMCgGA1UEAwwhc2Vs
Zi1zaWduZWQtY2VydGlmaWNhdGVzLW9wZXJhdG9yMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAr1N7R4IWORBg3wvcCVmntU8hpeqa5GzdDCOII0i2PL5V
SE7hn8p979q4IIw1dNR0yYkJj/55rKVzlgdW0xvAVf4sHNYhosszfzFQwJJezP5Q
p5AofollWGCq3MvyBnSGwfw33aZ5uz3SBmJrltTjrpqP6mWlFkgd7Me169uwXzbR
tpHTBzvXU/WCDpnpa38ZX8AhXVUPEi8GBNeaWW3961lU/1PqsWusLfeYEYRaTnbD
pUyjQAZIMOY732GLK2MgVXzzzU/dsuf2vnVrYKifNU/Tf+mvj1shbJBEKqAVRJJL
hwpdBYDR0fpZ9c8l0tDHLpSonVhsuTiK+DEtHsvpJwIDAQABo3IwcDAJBgNVHREE
AjAAMB8GA1UdDgQYBBYEFIWwy/RbDwFwS8frOP2A8HA87ABuMCEGA1UdIwQaMBiA
FgQUhbDL9FsPAXBLx+s4/YDwcDzsAG4wDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIJfekaQ4tZwao1WWiWSbDJITFZs
hoojR8PNJYa1f7r43EACZaGcQdm4xipbvYQYSw34+FsaxeHrKVix7RxMbR94q7e7
tNAlKA/zTRfyYP1CubZKfXFITdZforEsa79bAG5E8Y7JqZivz6zhz+LyIvwKczo0
X7Krn195EYX+EePuYscfZTRRxoV4bySm7ctZi9j307+E9KFLM1c8JLff0chikt31
1I0GcdpPJj4LlFQOFiJ+cDINejset+7WjXk+Dg90oqn4DXRoxvZ5Az12FS76Gmk0
TiFA+++sSUNQYZzFwrSNFrrRPOMDRtpuaFWjZw6rzpgbtlWmssILNTatzjY=
-----END CERTIFICATE-----

I'm passing the CA cert to urllib / sslcontext using this code:

        # Note that ssl.create_default_context() doesn't allow setting the context.protocol in a
        # way that's the same across Python 3.8 and 3.10 onwards. Whip the context up by hand.
        context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        context.minimum_version = ssl.TLSVersion.TLSv1_3
        context.set_alpn_protocols(['http/1.1'])
        context.verify_flags |= ssl.VERIFY_X509_STRICT
        if partial_chain := getattr(ssl, 'VERIFY_X509_PARTIAL_CHAIN', None):
            # Available starting from Python 3.10. The partial chain flag allows trusting an
            # intermediate CAs in the CA list without the matching root CA.
            context.verify_flags |= partial_chain
        context.load_verify_locations(cadata=ca)


        try:
            with urllib.request.urlopen(  # noqa: S310
                urllib.request.Request(  # noqa: S310
                    config.url,
                    data=data,
                    headers={'Content-Type': mime},
                    method='POST',
                ),
                context=context,
                timeout=EXPORT_TIMEOUT,
            ):
                pass
        except urllib.error.HTTPError as e:
            resp = e.fp.read()[:1000]
            logger.exception(f'Tracing collector rejected our data, {e.code=} {resp=}')
        except OSError:
            # URLError, TimeoutError, SSLError, socket.error
            # Exception gets caught here
            pass

At the same time, cURL is happy with this CA.

Is Python being too strict?
Is it a bug?
Specifically, why validate the alt name in the CA?

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    extension-modulesC modules in the Modules dirpendingThe issue will be closed if no feedback is providedtopic-SSLtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      pFad - Phonifier reborn

      Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

      Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


      Alternative Proxies:

      Alternative Proxy

      pFad Proxy

      pFad v3 Proxy

      pFad v4 Proxy