websocket SSL: CERTIFICATE_VERIFY_FAILED

[JohnMudd]

I upgraded Tornado from 4.1 to 4.2.1. Now my websocket client (using Tornado websocket) gets the following error when trying to connect to my server using a "wss" secure websocket. The server also using Tornado. This was working with Tornado 4.1. Any suggestion?

       [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

I can still connect to the same server using HTTPS without any problem.

The server is using Python 2.7.9 and openssl 1.0.2a. I'm using the following code in my server as recommended by Ben here https://goo.gl/dyG7eb.

       ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)

       ssl_ctx.load_cert_chain(os.path.join(data_dir, "mydomain.crt"),

                               os.path.join(data_dir, "mydomain.key"))

       HTTPServer(application, ssl_options=ssl_ctx)

John

[Ben Darnell]

On Sun, Jul 19, 2015 at 1:51 PM, JohnMudd <john...@gmail.com> wrote:

I upgraded Tornado from 4.1 to 4.2.1. Now my websocket client (using Tornado websocket) gets the following error when trying to connect to my server using a "wss" secure websocket. The server also using Tornado. This was working with Tornado 4.1. Any suggestion?

       [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

I can still connect to the same server using HTTPS without any problem.

Are the HTTPS connections using Tornado's AsyncHTTPClient or a browser? AsyncHTTPClient and websocket_connect should be doing exactly the same thing here.

Who was your certificate signed by? In Tornado 4.1 we used the Mozilla CA list (via the certifi package: https://pypi.python.org/pypi/certifi); in 4.2 we now use the operating system's CAs (when available, i.e. python 2.7.9+). There were some other TLS-related changes in 4.2 (http://www.tornadoweb.org/en/stable/releases/v4.2.0.html), to make defaults more strict, but websocket_connect should have already been using the strict configuration.

-Ben

 

The server is using Python 2.7.9 and openssl 1.0.2a. I'm using the following code in my server as recommended by Ben here https://goo.gl/dyG7eb.

       ssl_ctx = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)

       ssl_ctx.load_cert_chain(os.path.join(data_dir, "mydomain.crt"),

                               os.path.join(data_dir, "mydomain.key"))

       HTTPServer(application, ssl_options=ssl_ctx)

John

--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[JohnMudd]

On Sunday, July 19, 2015 at 2:43:10 PM UTC-4, Ben Darnell wrote:

On Sun, Jul 19, 2015 at 1:51 PM, JohnMudd <john...@gmail.com> wrote:

I upgraded Tornado from 4.1 to 4.2.1. Now my websocket client (using Tornado websocket) gets the following error when trying to connect to my server using a "wss" secure websocket. The server also using Tornado. This was working with Tornado 4.1. Any suggestion?

       [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

I can still connect to the same server using HTTPS without any problem.

Are the HTTPS connections using Tornado's AsyncHTTPClient or a browser? AsyncHTTPClient and websocket_connect should be doing exactly the same thing here.

HTTPS client is python using the requests module. It is set to verify the host.

 

Who was your certificate signed by? In Tornado 4.1 we used the Mozilla CA list (via the certifi package: https://pypi.python.org/pypi/certifi); in 4.2 we now use the operating system's CAs (when available, i.e. python 2.7.9+). There were some other TLS-related changes in 4.2 (http://www.tornadoweb.org/en/stable/releases/v4.2.0.html), to make defaults more strict, but websocket_connect should have already been using the strict configuration.

Certificate is signed by GoDaddy. 

The operating system where my server is running is old, Fedora release 7. The kernel is from 2008. 

[Ben Darnell]

On Sun, Jul 19, 2015 at 3:57 PM, JohnMudd <john...@gmail.com> wrote:

On Sunday, July 19, 2015 at 2:43:10 PM UTC-4, Ben Darnell wrote:

On Sun, Jul 19, 2015 at 1:51 PM, JohnMudd <john...@gmail.com> wrote:

I upgraded Tornado from 4.1 to 4.2.1. Now my websocket client (using Tornado websocket) gets the following error when trying to connect to my server using a "wss" secure websocket. The server also using Tornado. This was working with Tornado 4.1. Any suggestion?

       [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

I can still connect to the same server using HTTPS without any problem.

Are the HTTPS connections using Tornado's AsyncHTTPClient or a browser? AsyncHTTPClient and websocket_connect should be doing exactly the same thing here.

HTTPS client is python using the requests module. It is set to verify the host.

 

Who was your certificate signed by? In Tornado 4.1 we used the Mozilla CA list (via the certifi package: https://pypi.python.org/pypi/certifi); in 4.2 we now use the operating system's CAs (when available, i.e. python 2.7.9+). There were some other TLS-related changes in 4.2 (http://www.tornadoweb.org/en/stable/releases/v4.2.0.html), to make defaults more strict, but websocket_connect should have already been using the strict configuration.

Certificate is signed by GoDaddy. 

The operating system where my server is running is old, Fedora release 7. The kernel is from 2008. 

It's the client's OS that matters, not the server. If the client is also that old then I would not be surprised that it's not working; you should really upgrade to an OS that is still getting security updates. In any case, you should be able to switch from the OS CA store to certifi with something like `websocket_connect(tornado.httpclient.HTTPRequest(url, ca_certs=certifi.where())`

-Ben

[JohnMudd]

On Sunday, July 19, 2015 at 4:24:01 PM UTC-4, Ben Darnell wrote:

On Sun, Jul 19, 2015 at 3:57 PM, JohnMudd <john...@gmail.com> wrote:

On Sunday, July 19, 2015 at 2:43:10 PM UTC-4, Ben Darnell wrote:

On Sun, Jul 19, 2015 at 1:51 PM, JohnMudd <john...@gmail.com> wrote:

I upgraded Tornado from 4.1 to 4.2.1. Now my websocket client (using Tornado websocket) gets the following error when trying to connect to my server using a "wss" secure websocket. The server also using Tornado. This was working with Tornado 4.1. Any suggestion?

       [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed

I can still connect to the same server using HTTPS without any problem.

Are the HTTPS connections using Tornado's AsyncHTTPClient or a browser? AsyncHTTPClient and websocket_connect should be doing exactly the same thing here.

HTTPS client is python using the requests module. It is set to verify the host.

 

Who was your certificate signed by? In Tornado 4.1 we used the Mozilla CA list (via the certifi package: https://pypi.python.org/pypi/certifi); in 4.2 we now use the operating system's CAs (when available, i.e. python 2.7.9+). There were some other TLS-related changes in 4.2 (http://www.tornadoweb.org/en/stable/releases/v4.2.0.html), to make defaults more strict, but websocket_connect should have already been using the strict configuration.

Certificate is signed by GoDaddy. 

The operating system where my server is running is old, Fedora release 7. The kernel is from 2008. 

It's the client's OS that matters, not the server. If the client is also that old then I would not be surprised that it's not working; you should really upgrade to an OS that is still getting security updates. In any case, you should be able to switch from the OS CA store to certifi with something like `websocket_connect(tornado.httpclient.HTTPRequest(url, ca_certs=certifi.where())`

Thanks, this worked. I pointed to a client side copy of the same bundle file that I use on the server side.

conn = yield tornado.websocket.websocket_connect(tornado.httpclient.HTTPRequest(self.url, ca_certs='/home/mudd/.../cert/MyServerName.com.bundle.crt'))