Skip to content

sslcontext/urlopen on CA cert: Empty Subject Alternative Name extension #132210

New issue
New issue
Open
Open
sslcontext/urlopen on CA cert: Empty Subject Alternative Name extension#132210
Labels
extension-modulesC modules in the Modules dirpendingThe issue will be closed if no feedback is providedtopic-SSLtype-bugAn unexpected behavior, bug, or error
@dimaqq

Description

@dimaqq
dimaqq
opened on Apr 7, 2025

Bug report

Bug description:

Version info:

  • Python 3.12
  • Ubuntu 24.04
  • amd64

Here is the certificate chain that the server presents:

server cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            6b:ea:ea:44:21:43:12:26:e8:56:88:da:e8:fe:19:94:36:6b:24:5d
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = self-signed-certificates-operator
        Validity
            Not Before: Apr  7 07:45:31 2025 GMT
            Not After : Jul  6 07:45:31 2025 GMT
        Subject: CN = 10.43.45.0, x500UniqueIdentifier = 5af5937b-7f98-4b6d-b53d-ff63e7778f5b
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c5:66:62:74:48:ef:9c:91:b9:e1:64:31:41:56:
                    0d:b4:a6:6c:38:e3:a5:be:6f:49:4f:fc:54:00:f6:
                    6b:90:92:01:4f:53:07:dc:23:b3:7e:e9:00:6e:ad:
                    a3:d1:64:d8:be:af:39:ae:76:c9:eb:83:25:2f:95:
                    27:3f:39:13:49:eb:5d:2c:9b:2a:d4:fe:84:a9:ad:
                    21:5f:12:d5:05:e9:74:f0:04:c9:2d:4c:24:f6:24:
                    64:6a:f8:70:ad:54:47:b0:70:50:18:8f:5a:01:fd:
                    1c:6f:27:cb:20:a8:31:c4:6e:8f:07:a1:34:b7:03:
                    bd:6c:44:90:b0:13:dd:ba:44:7a:b9:fa:6d:ee:f9:
                    92:4b:0d:1d:39:58:ce:c8:16:03:2b:fd:f9:20:88:
                    64:d3:3e:3c:19:5b:a5:56:a2:a8:3d:74:94:f9:1a:
                    41:5f:36:dd:6a:af:fe:a1:47:7b:74:19:a2:a1:df:
                    bd:11:e7:4c:5d:9b:7c:71:68:91:dd:32:6c:2f:df:
                    cb:bc:2a:0a:eb:f8:5a:13:ca:dd:32:ec:50:d3:6c:
                    8b:22:5a:97:a8:7e:93:46:81:18:ce:8f:6b:64:c9:
                    50:19:bc:dc:82:89:29:5d:c5:bc:5e:b2:a9:3b:76:
                    44:6d:17:f1:47:0e:aa:99:47:f8:7c:5f:65:ad:94:
                    d1:43
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier:
                04:14:85:B0:CB:F4:5B:0F:01:70:4B:C7:EB:38:FD:80:F0:70:3C:EC:00:6E
            X509v3 Subject Key Identifier:
                EF:41:F8:D9:34:A7:6C:86:85:35:65:0C:4A:C6:7B:D0:D1:7D:16:2C
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Alternative Name:
                IP Address:10.43.45.0
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        42:d9:22:4a:b6:49:f3:c4:c3:38:eb:d5:0f:f6:f4:cd:95:17:
        9f:4b:79:9b:e8:1c:5b:28:ec:7f:75:76:eb:48:75:0f:f2:81:
        e8:1d:2f:84:7d:6b:ae:a2:17:e2:af:a2:06:3e:97:39:fa:51:
        55:07:12:64:c8:a6:fb:bc:d2:46:50:18:8a:e1:81:d9:04:f7:
        f7:05:a6:f9:3e:38:13:b1:b0:32:e9:80:81:f3:0a:a6:9d:30:
        3a:6a:78:d8:f0:9d:99:f4:0f:c6:83:05:64:0c:cd:12:9d:fb:
        2d:54:59:d8:fc:27:a3:e6:15:ab:09:b4:c9:2a:5b:64:a4:a4:
        eb:ce:0c:ff:be:8a:4f:80:7c:1c:51:ae:0e:85:4a:c4:98:a4:
        37:fa:5e:79:d9:dc:7a:44:33:16:af:42:a4:eb:14:43:40:c6:
        c4:38:19:15:ab:d2:c6:dc:85:47:4c:9d:bc:f2:9e:32:2b:2e:
        08:19:23:4d:38:f0:93:38:b8:57:64:d4:cc:df:7f:f3:ae:68:
        6a:11:19:a9:6a:b0:e0:91:21:3a:9b:dc:fc:17:c3:da:44:d2:
        ff:b6:aa:c9:99:60:b7:93:06:cd:8f:6d:93:f6:40:cc:5e:fc:
        8d:c3:e6:33:e5:26:8a:95:ac:06:7d:c1:d1:14:a3:ba:7a:f2:
        ee:47:e0:05
-----BEGIN CERTIFICATE-----
MIIDYTCCAkmgAwIBAgIUa+rqRCFDEiboVoja6P4ZlDZrJF0wDQYJKoZIhvcNAQEL
BQAwLDEqMCgGA1UEAwwhc2VsZi1zaWduZWQtY2VydGlmaWNhdGVzLW9wZXJhdG9y
MB4XDTI1MDQwNzA3NDUzMVoXDTI1MDcwNjA3NDUzMVowRDETMBEGA1UEAwwKMTAu
NDMuNDUuMDEtMCsGA1UELQwkNWFmNTkzN2ItN2Y5OC00YjZkLWI1M2QtZmY2M2U3
Nzc4ZjViMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxWZidEjvnJG5
4WQxQVYNtKZsOOOlvm9JT/xUAPZrkJIBT1MH3COzfukAbq2j0WTYvq85rnbJ64Ml
L5UnPzkTSetdLJsq1P6Eqa0hXxLVBel08ATJLUwk9iRkavhwrVRHsHBQGI9aAf0c
byfLIKgxxG6PB6E0twO9bESQsBPdukR6ufpt7vmSSw0dOVjOyBYDK/35IIhk0z48
GVulVqKoPXSU+RpBXzbdaq/+oUd7dBmiod+9EedMXZt8cWiR3TJsL9/LvCoK6/ha
E8rdMuxQ02yLIlqXqH6TRoEYzo9rZMlQGbzcgokpXcW8XrKpO3ZEbRfxRw6qmUf4
fF9lrZTRQwIDAQABo2MwYTAhBgNVHSMEGjAYgBYEFIWwy/RbDwFwS8frOP2A8HA8
7ABuMB0GA1UdDgQWBBTvQfjZNKdshoU1ZQxKxnvQ0X0WLDAMBgNVHRMBAf8EAjAA
MA8GA1UdEQQIMAaHBAorLQAwDQYJKoZIhvcNAQELBQADggEBAELZIkq2SfPEwzjr
1Q/29M2VF59LeZvoHFso7H91dutIdQ/ygegdL4R9a66iF+KvogY+lzn6UVUHEmTI
pvu80kZQGIrhgdkE9/cFpvk+OBOxsDLpgIHzCqadMDpqeNjwnZn0D8aDBWQMzRKd
+y1UWdj8J6PmFasJtMkqW2SkpOvODP++ik+AfBxRrg6FSsSYpDf6XnnZ3HpEMxav
QqTrFENAxsQ4GRWr0sbchUdMnbzynjIrLggZI0048JM4uFdk1Mzff/OuaGoRGalq
sOCRITqb3PwXw9pE0v+2qsmZYLeTBs2PbZP2QMxe/I3D5jPlJoqVrAZ9wdEUo7p6
8u5H4AU=
-----END CERTIFICATE-----

the CA cert

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            67:09:35:a9:66:2e:59:97:de:c4:f6:8f:ad:fa:bc:c7:db:f8:5e:f4
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN = self-signed-certificates-operator
        Validity
            Not Before: Apr  7 07:44:16 2025 GMT
            Not After : Apr  7 07:44:16 2026 GMT
        Subject: CN = self-signed-certificates-operator
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:af:53:7b:47:82:16:39:10:60:df:0b:dc:09:59:
                    a7:b5:4f:21:a5:ea:9a:e4:6c:dd:0c:23:88:23:48:
                    b6:3c:be:55:48:4e:e1:9f:ca:7d:ef:da:b8:20:8c:
                    35:74:d4:74:c9:89:09:8f:fe:79:ac:a5:73:96:07:
                    56:d3:1b:c0:55:fe:2c:1c:d6:21:a2:cb:33:7f:31:
                    50:c0:92:5e:cc:fe:50:a7:90:28:7e:89:65:58:60:
                    aa:dc:cb:f2:06:74:86:c1:fc:37:dd:a6:79:bb:3d:
                    d2:06:62:6b:96:d4:e3:ae:9a:8f:ea:65:a5:16:48:
                    1d:ec:c7:b5:eb:db:b0:5f:36:d1:b6:91:d3:07:3b:
                    d7:53:f5:82:0e:99:e9:6b:7f:19:5f:c0:21:5d:55:
                    0f:12:2f:06:04:d7:9a:59:6d:fd:eb:59:54:ff:53:
                    ea:b1:6b:ac:2d:f7:98:11:84:5a:4e:76:c3:a5:4c:
                    a3:40:06:48:30:e6:3b:df:61:8b:2b:63:20:55:7c:
                    f3:cd:4f:dd:b2:e7:f6:be:75:6b:60:a8:9f:35:4f:
                    d3:7f:e9:af:8f:5b:21:6c:90:44:2a:a0:15:44:92:
                    4b:87:0a:5d:05:80:d1:d1:fa:59:f5:cf:25:d2:d0:
                    c7:2e:94:a8:9d:58:6c:b9:38:8a:f8:31:2d:1e:cb:
                    e9:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                <EMPTY>

            X509v3 Subject Key Identifier:
                04:14:85:B0:CB:F4:5B:0F:01:70:4B:C7:EB:38:FD:80:F0:70:3C:EC:00:6E
            X509v3 Authority Key Identifier:
                04:14:85:B0:CB:F4:5B:0F:01:70:4B:C7:EB:38:FD:80:F0:70:3C:EC:00:6E
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Certificate Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        82:5f:7a:46:90:e2:d6:70:6a:8d:56:5a:25:92:6c:32:48:4c:
        56:6c:86:8a:23:47:c3:cd:25:86:b5:7f:ba:f8:dc:40:02:65:
        a1:9c:41:d9:b8:c6:2a:5b:bd:84:18:4b:0d:f8:f8:5b:1a:c5:
        e1:eb:29:58:b1:ed:1c:4c:6d:1f:78:ab:b7:bb:b4:d0:25:28:
        0f:f3:4d:17:f2:60:fd:42:b9:b6:4a:7d:71:48:4d:d6:5f:a2:
        b1:2c:6b:bf:5b:00:6e:44:f1:8e:c9:a9:98:af:cf:ac:e1:cf:
        e2:f2:22:fc:0a:73:3a:34:5f:b2:ab:9f:5f:79:11:85:fe:11:
        e3:ee:62:c7:1f:65:34:51:c6:85:78:6f:24:a6:ed:cb:59:8b:
        d8:f7:d3:bf:84:f4:a1:4b:33:57:3c:24:b7:df:d1:c8:62:92:
        dd:f5:d4:8d:06:71:da:4f:26:3e:0b:94:54:0e:16:22:7e:70:
        32:0d:7a:3b:1e:b7:ee:d6:8d:79:3e:0e:0f:74:a2:a9:f8:0d:
        74:68:c6:f6:79:03:3d:76:15:2e:fa:1a:69:34:4e:21:40:fb:
        ef:ac:49:43:50:61:9c:c5:c2:b4:8d:16:ba:d1:3c:e3:03:46:
        da:6e:68:55:a3:67:0e:ab:ce:98:1b:b6:55:a6:b2:c2:0b:35:
        36:ad:ce:36
-----BEGIN CERTIFICATE-----
MIIDWDCCAkCgAwIBAgIUZwk1qWYuWZfexPaPrfq8x9v4XvQwDQYJKoZIhvcNAQEL
BQAwLDEqMCgGA1UEAwwhc2VsZi1zaWduZWQtY2VydGlmaWNhdGVzLW9wZXJhdG9y
MB4XDTI1MDQwNzA3NDQxNloXDTI2MDQwNzA3NDQxNlowLDEqMCgGA1UEAwwhc2Vs
Zi1zaWduZWQtY2VydGlmaWNhdGVzLW9wZXJhdG9yMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAr1N7R4IWORBg3wvcCVmntU8hpeqa5GzdDCOII0i2PL5V
SE7hn8p979q4IIw1dNR0yYkJj/55rKVzlgdW0xvAVf4sHNYhosszfzFQwJJezP5Q
p5AofollWGCq3MvyBnSGwfw33aZ5uz3SBmJrltTjrpqP6mWlFkgd7Me169uwXzbR
tpHTBzvXU/WCDpnpa38ZX8AhXVUPEi8GBNeaWW3961lU/1PqsWusLfeYEYRaTnbD
pUyjQAZIMOY732GLK2MgVXzzzU/dsuf2vnVrYKifNU/Tf+mvj1shbJBEKqAVRJJL
hwpdBYDR0fpZ9c8l0tDHLpSonVhsuTiK+DEtHsvpJwIDAQABo3IwcDAJBgNVHREE
AjAAMB8GA1UdDgQYBBYEFIWwy/RbDwFwS8frOP2A8HA87ABuMCEGA1UdIwQaMBiA
FgQUhbDL9FsPAXBLx+s4/YDwcDzsAG4wDgYDVR0PAQH/BAQDAgKkMA8GA1UdEwEB
/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAIJfekaQ4tZwao1WWiWSbDJITFZs
hoojR8PNJYa1f7r43EACZaGcQdm4xipbvYQYSw34+FsaxeHrKVix7RxMbR94q7e7
tNAlKA/zTRfyYP1CubZKfXFITdZforEsa79bAG5E8Y7JqZivz6zhz+LyIvwKczo0
X7Krn195EYX+EePuYscfZTRRxoV4bySm7ctZi9j307+E9KFLM1c8JLff0chikt31
1I0GcdpPJj4LlFQOFiJ+cDINejset+7WjXk+Dg90oqn4DXRoxvZ5Az12FS76Gmk0
TiFA+++sSUNQYZzFwrSNFrrRPOMDRtpuaFWjZw6rzpgbtlWmssILNTatzjY=
-----END CERTIFICATE-----

I'm passing the CA cert to urllib / sslcontext using this code:

        # Note that ssl.create_default_context() doesn't allow setting the context.protocol in a
        # way that's the same across Python 3.8 and 3.10 onwards. Whip the context up by hand.
        context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        context.minimum_version = ssl.TLSVersion.TLSv1_3
        context.set_alpn_protocols(['http/1.1'])
        context.verify_flags |= ssl.VERIFY_X509_STRICT
        if partial_chain := getattr(ssl, 'VERIFY_X509_PARTIAL_CHAIN', None):
            # Available starting from Python 3.10. The partial chain flag allows trusting an
            # intermediate CAs in the CA list without the matching root CA.
            context.verify_flags |= partial_chain
        context.load_verify_locations(cadata=ca)


        try:
            with urllib.request.urlopen(  # noqa: S310
                urllib.request.Request(  # noqa: S310
                    config.url,
                    data=data,
                    headers={'Content-Type': mime},
                    method='POST',
                ),
                context=context,
                timeout=EXPORT_TIMEOUT,
            ):
                pass
        except urllib.error.HTTPError as e:
            resp = e.fp.read()[:1000]
            logger.exception(f'Tracing collector rejected our data, {e.code=} {resp=}')
        except OSError:
            # URLError, TimeoutError, SSLError, socket.error
            # Exception gets caught here
            pass

At the same time, cURL is happy with this CA.

Is Python being too strict?
Is it a bug?
Specifically, why validate the alt name in the CA?

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Metadata

Metadata

Assignees

No one assigned

    Labels

    extension-modulesC modules in the Modules dirpendingThe issue will be closed if no feedback is providedtopic-SSLtype-bugAn unexpected behavior, bug, or error

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions