16

I am getting an SSL "bad handshake" error. Most similar responses to this problem seem to stem from old libraries, 1024bit cert. incompatibility, etc... I think i'm up to date, and can't figure out why i'm getting this error.

SETUP:

  • requests 2.13.0
  • certifi 2017.01.23
  • 'OpenSSL 1.0.2g 1 Mar 2016'

I'm hitting this API (2048bit certificate key): https://api.sidecar.io/rest/v1/provision/application/device/count/

And getting this error: requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",)

See l.44 of https://github.com/sidecar-io/sidecar-python-sdk/blob/master/sidecar.py

If I turn verify=False in requests, I can bypass, but i'd rather figure out why the certification is failing.

Any help is greatly appreciated; thanks!

Improve this question

4 Answers 4

Reset to default
16

The validation fails because the server you access is setup improperly, i.e. it is not a fault of your setup or code. Looking at the report from SSLLabs you see

This server's certificate chain is incomplete. Grade capped to B.

This means that the server sends a certificate chain which is missing an intermediate certificate to the trusted root and thus your client can not build the trust chain. Most desktop browsers work around this problem by trying to get the missing certificate from somewhere else but normal TLS libraries will fail in this case. You would need to explicitly add the missing chain certificate as trusted to work around this problem:

import requests
requests.get('https://api.sidecar.io', verify = 'mycerts.pem')

mycerts.pem should contain the missing intermediate certificate and the trusted root certificate. A tested version for mycerts.pem can be found in http://pastebin.com/aZSKfyb7.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

9

This may help as workaround for your issue.

print(requests.get(url, proxies,verify = False))
Improve this answer

2 Comments

Because verify=False makes SSL verification skip.
The original question already mentions verify=False as a bypass, but asks for a proper solution.
2

I fixed it using the python-certifi-win32 package:

pip install python-certifi-win32

or with anaconda 

conda install -c conda-forge python-certifi-win32

then you can use:

requests.get(url)
#or
requests.get(url, verify=True)

and the certificate is checked using the Windows Certificate Store.

This only works if the certificate is installed in the Windows Certificate Store.

Improve this answer

Comments

2

try

sudo apt install ca-certificates

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.