[Django] #35653: SSL error sending mail
28 views
Skip to first unread message
Django
Aug 1, 2024, 11:24:45 AM8/1/24
to django-...@googlegroups.com
#35653: SSL error sending mail
-------------------------+---------------------------------------
Reporter: dkaylor | Type: Bug
Status: new | Component: Core (Mail)
Version: 5.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------+---------------------------------------
We have an SMTP server that is not signed by a public CA. Sending email
with no SSL settings results in an "SSL: CERTIFICATE_VERIFY_FAILED" error.
If we set EMAIL_SSL_CERTFILE, we receive the same error. We do not have
access to the key file to test with EMAIL_SSL_KEYFILE. Clients often do
not have access to keys so this shouldn't be required.
Django is loading the cert files with load_cert_chain, but I believe
load_verify_locations would be more appropriate:
https://github.com/django/django/blob/main/django/core/mail/backends/smtp.py#L63
The examples in the Python docs use the former for servers and the latter
for clients:
https://docs.python.org/3/library/ssl.html
I wrote a simple test with load_cert_chain and it fails with the same SSL
error:
{{{
ssl_context.load_cert_chain(cacert)
}}}
If I change to load_verify_locations it works
{{{
ssl_context.load_verify_locations(cacert)
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35653>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
-------------------------+---------------------------------------
Reporter: dkaylor | Type: Bug
Status: new | Component: Core (Mail)
Version: 5.0 | Severity: Normal
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------+---------------------------------------
We have an SMTP server that is not signed by a public CA. Sending email
with no SSL settings results in an "SSL: CERTIFICATE_VERIFY_FAILED" error.
If we set EMAIL_SSL_CERTFILE, we receive the same error. We do not have
access to the key file to test with EMAIL_SSL_KEYFILE. Clients often do
not have access to keys so this shouldn't be required.
Django is loading the cert files with load_cert_chain, but I believe
load_verify_locations would be more appropriate:
https://github.com/django/django/blob/main/django/core/mail/backends/smtp.py#L63
The examples in the Python docs use the former for servers and the latter
for clients:
https://docs.python.org/3/library/ssl.html
I wrote a simple test with load_cert_chain and it fails with the same SSL
error:
{{{
ssl_context.load_cert_chain(cacert)
}}}
If I change to load_verify_locations it works
{{{
ssl_context.load_verify_locations(cacert)
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/35653>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Aug 1, 2024, 11:26:06 AM8/1/24
to django-...@googlegroups.com
#35653: SSL error sending mail
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: Bug | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by dkaylor):
* version: 5.0 => 4.2
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:1>
Django
Aug 1, 2024, 12:34:09 PM8/1/24
to django-...@googlegroups.com
#35653: SSL error sending mail
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: Bug | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Changes (by Sarah Boyce):
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: Bug | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
* cc: Mike Edmunds (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:2>
Django
Aug 1, 2024, 3:47:38 PM8/1/24
to django-...@googlegroups.com
#35653: SSL error sending mail
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: Bug | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Comment (by Mike Edmunds):
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: Bug | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
This makes sense to me, but Python's SSL/TLS is a little outside my
expertise. It would be good to get Mariusz's input.
Django 4.2 changed to use ssl.create_default_context() if neither certfile
nor keyfile is set. This enables certificate validation and hostname
checking, and is a Python [https://docs.python.org/3/library/ssl.html
#security-considerations ssl security best practice].
I wonder if we shouldn't also be using
ssl.create_default_context(capath=...) when an EMAIL_SSL_CERTFILE is
provided, for exactly the same reasons? Followed by load_cert_chain() when
necessary. (This would require a release note
[https://docs.djangoproject.com/en/4.2/releases/4.2/#miscellaneous:~:text=EmailBackend%20now%20verifies%20a%20hostname%20and%20certificates.%20If%20you%20need%20the%20previous%20behavior%20that%20is%20less%20restrictive%20and%20not%20recommended%2C%20subclass%20EmailBackend%20and%20override%20the%20ssl_context%20property.
similar to the one in 4.2].)
See also ticket:34550 and [https://stackoverflow.com/a/78474038 this
StackOverflow answer].
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:3>
Django
Aug 1, 2024, 4:25:56 PM8/1/24
to django-...@googlegroups.com
#35653: SSL error sending mail
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: Bug | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
Changes (by Sarah Boyce):
-----------------------------+--------------------------------------
Reporter: dkaylor | Owner: (none)
Type: Bug | Status: new
Component: Core (Mail) | Version: 4.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-----------------------------+--------------------------------------
* cc: Mariusz Felisiak (added)
--
Ticket URL: <https://code.djangoproject.com/ticket/35653#comment:4>
Reply all
Reply to author
Forward
0 new messages