Chapter 6 Certificate no longer accepted in Python 3.7 about fopnp HOT 7 CLOSED

I should mention that I get this on the client when running
python safe_tls.py localhost 9000 -a ca.crt

from fopnp.

I wonder why it doesn't like the certificate any more? A more detailed error message from it would have been helpful. I'll see if I can find time soon to take a look. I guess I'll have to install Python 3.7 for the first time!

from fopnp.

I am not sure, and unfortunately that is the whole error message, but here is the full stack trace in case useful

Traceback (most recent call last):
  File "safe_tls.py", line 52, in <module>
    client(args.host, args.port, args.a)
  File "safe_tls.py", line 15, in client
    ssl_sock = context.wrap_socket(raw_sock, server_hostname=host)
  File "REDACTED/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "REDACTED/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "REDACTED/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: invalid CA certificate (_ssl.c:1056)

from fopnp.

So I think I figured out the source of the problem. You are using the CN to verify the domain name, but this has officially been deprecated since 2000 (see RFC 2818)!

To work with Python 3.7 the domain name must be defined in the Subject Alternative Name (SAN) section (i.e. extension) of the certificate.

from fopnp.

FYI: I was able to make this work generating CA and server certs following this blog post: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

from fopnp.

Wow, thanks for working out the problem! Any interest in opening a pull request to contribute those certificates — were you able to update the certificate generating script to match the new requirements?

from fopnp.

Thanks again for reporting this error. I started a deep dive into the issue yesterday, and this morning have isolated the root cause: the CA was not actually labeled with CA:TRUE in its basicConstraints. I have regenerated the entire stack of certificates atop a new CA (thank goodness I wrote a Makefile, so I didn't need to reconstruct all the commands!) and no longer get the error cited. Let me know if you have any further problems!

from fopnp.