SSL is failing for session.hydroquebec.com:443

Question

SSL is failing for session.hydroquebec.com:443

clauderobi opened this issue 3 years ago · comments

The TLS handshake is failing at the certificate verification stage. Using openssl s_client -connect session.hydroquebec.com:443 it appears as though the server is not providing the whole certificate chain up to the actual root.

The same verification with openssl s_client -connect www.hydroquebec.com:443 works perfectly. The whole chain is present.

Did you have to manually insert the missing certificates in cacert.pem?

Olivier BEAU · Answer 1 · Sat Jan 08 2022 09:39:36 GMT+0800 (China Standard Time)

I had the very same issue and did not figure it out. Personally i use it with no verification, hence the option in the config. If you figure it out, feel free to push a PR, otherwise it will be unsecure until i have time to dig into the issue

clauderobi · Answer 2 · Sat Jan 08 2022 10:19:38 GMT+0800 (China Standard Time)

It appears that open_ssl does not do "certificate discovery", at least that is what my reading indicated. The only solution is to download the missing intermediate certificate and add it cacert.pem. It is actually fairly easy, simply open the URL with a browser, view the certificate and download the chain. Pickup only the intermediate certificate (there are 3 certificates when the download the chain: the site, the intermediate and the root CA) and add it to the file. To verify that you have the correct intermediate certificate use an online decoder and check that the CN is "Entrust Certification Authority - L1M "

Oh, yes, when you put session.hydroquebec.com in the browser, a redirect takes place and you end up at connexion.hydroquebec.com, but it is Ok, they use the same intermediate and root CA certificates.

Too bad that open_ssl (which I assume python is using) does not do the discovery itself as do browsers.

Mathieu Dallaire · Answer 3 · Sat Jan 08 2022 11:43:44 GMT+0800 (China Standard Time)

I did a bit of digging into solutions for this.

Right now I do the following:

Put the chain in the folder
Set the REQUEST_CA_BUNDLE env
export REQUESTS_CA_BUNDLE=hydro-chain.pem

Then the validation will work.

I have found more info on how to set the ca bundle from within the request here using requests.get('https://github.com', verify='/path/to/certfile') but I am not sure how to integrate this in the code since I am no python expert. I will poke around the code and try to figure it out later.

Olivier BEAU · Answer 4 · Sat Jan 08 2022 12:15:20 GMT+0800 (China Standard Time)

Thanks for the digging, i think it's doable using certifi here (the python module in the background that handle this. I'll try to put s fix asap. Happy peak event to both of you for tomorrow 😀

Olivier BEAU · Answer 5 · Sun Jan 09 2022 02:28:42 GMT+0800 (China Standard Time)

This should be fixed now, I basically implemented suggestion by @mdallaire
Thanks both