Develop Reference

get "SSLError: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:726)" exception when executing Python script on Android

I have a simple Python script runs pretty well on Python 2.7 on Windows 10.
however it gives me
"SSLError: [SSL: BAD_SIGNATURE] bad signature (_ssl.c:726)"
error when I run it from Android.
the code is quite simple as below：
import urllib
import urllib2
import ssl
import traceback
#ssl._https_verify_certificates(False)
#ssl._create_default_https_context = ssl._create_unverified_context
try:
url="https://stackoverflow.com/"
https_context = ssl._create_unverified_context(cert_reqs=ssl.CERT_NONE,check_hostname=False)
https_handler = urllib2.HTTPSHandler(context=https_context)
opener = urllib2.build_opener(https_handler)
rep=opener.open(url)
print(rep.read())
except Exception, e:
urllib.urlopen("http://c.seechentech.com/exception?code=484&error=%s&u=%s" % (traceback.format_exc(), url))
After some investigation, I found this exception is raised during socket handshake, but I have already set certificate verification to False (There's no needs to verify certificate for me), why it checks signature? How to fix this problem?

this issue has been resolved and I'd like to share my findings.
Finding 1:
Regardless set to verify certificate or not, OpenSSL socket, which called by Python Socket, will always do SSL handshake where PEM certificate is required. This finding answers why my code fails during socket handshake.
Finding 2:
Python is able to load system trusted CA from windows 10 default location, however, it fails on Android. It might be caused by two potential reasons:
1) Python could not find default CA location on Andorid which is /system/etc/security/cacerts/
2) Python expects CA to be PEM format, but Android trusted CA has additional lines after ---END CERTIFICAT--- which is a sign of end of CA content.
I did not verify which reason actually caused the failure of loading CA certificate. What I did to give Python proper CA data is combined all CA files I extracted from one Android device into a single file, and set to ssl.SSLContext with load_verify_locations method.
Finding 3:
There're some trusted CAs missing on Android comparing to trusted CAs on Windows, so I have to manually add them into my combined CA file.
Finding 4:
Python document says "If you want maximum compatibility between clients and servers, it is recommended to use PROTOCOL_SSLv23 as the protocol version" which is not true. It causes invalid certification error when I use this protocol version. ssl.PROTOCOL_TLSv1 protocol version works fine in my case.
Finding 5:
Python document says to give a certificate as an "ASCII PEM string" which is not right. We have to give a unicode string.
Here is the code for reference:
#!/usr/bin/python
# -*- coding: UTF-8 -*-
import sys
reload(sys)
sys.setdefaultencoding("utf-8")
import os
from os import path
import urllib
import urllib2
import ssl
import traceback
import shutil
def loadCA():
concatedCA = u'''
-----BEGIN CERTIFICATE-----
MIIEIDCCAwigAwIBAgIQNE7VVyDV7exJ9C/ON9srbTANBgkqhkiG9w0BAQUFADCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwHhcNMDYxMTE3MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCBqTELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIwMDYgdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxHzAdBgNVBAMTFnRoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsoPD7gFnUnMekz52hWXMJEEUMDSxuaPFsW0hoSVk3/AszGcJ3f8wQLZU0HObrTQmnHNK4yZc2AreJ1CRfBsDMRJSUjQJib+ta3RGNKJpchJAQeg29dGYvajig4tVUROsdB58Hum/u6f1OCyn1PoSgAfGcq/gcfomk6KHYcWUNo1F77rzSImANuVud37r8UVsLr5iy6S7pBOhih94ryNdOwUxkHt3Ph1i6Sk/KaAcdHJ1KxtUvkcx8cXIcxcBn6zL9yZJclNqFwJu/U30rCfSMnZEfl2pSy94JNqR32HuHUETVPm4pafs5SSYeCaWAe0At6+gnhcn+Yf1+5nyXHdWdAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBR7W0XPr87Lev0xkhpqtvNG61dIUDANBgkqhkiG9w0BAQUFAAOCAQEAeRHAS7ORtvzw6WfUDW5FvlXok9LOAz/t2iWwHVfLHjp2oEzsUHboZHIMpKnxuIvW1oeEuzLlQRHAd9mzYJ3rG9XRbkREqaYB7FViHXe4XI5ISXycO1cRrK1zN44veFyQaEfZYGDm/Ac9IiAXxPcW6cTYcvnIc3zfFi8VqT79aie2oetaupgf1eNNZAqdE8hhuvU5HIe6uL17In/2/qxAeeWsEG89jxt5dovEN7MhGITlNgDrYyCZuen+MwS7QcjBAvlEYyCegc5C09Y/LHbTY5xZ3Y+m4Q6gLkH3LpVHz7z9M/P2C2F+fpErgUfCJzDupxBdN49cOSvkBPB7jVaMaA==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGCDCCA/CgAwIBAgIQKy5u6tl1NmwUim7bo3yMBzANBgkqhkiG9w0BAQwFADCBhTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQwMjEyMDAwMDAwWhcNMjkwMjExMjM1OTU5WjCBkDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNVBAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI7CAhnhoFmk6zg1jSz9AdDTScBkxwtiBUUWOqigwAwCfx3M28ShbXcDow+G+eMGnD4LgYqbSRutA776S9uMIO3Vzl5ljj4Nr0zCsLdFXlIvNN5IJGS0Qa4Al/e+Z96e0HqnU4A7fK31llVvl0cKfIWLIpeNs4TgllfQcBhglo/uLQeTnaG6ytHNe+nEKpooIZFNb5JPJaXyejXdJtxGpdCsWTWM/06RQ1A/WZMebFEh7lgUq/51UHg+TLAchhP6a5i84DuUHoVS3AOTJBhuyydRReZw3iVDpA3hSqXttn7IzW3uLh0nc13cRTCAquOyQQuvvUSH2rnlG51/ruWFgqUCAwEAAaOCAWUwggFhMB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZMjLUMB0GA1UdDgQWBBSQr2o6lFoL2JDqElZz30O0Oija5zAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECATBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FDZXJ0aWZpY2F0aW9uQXV0aG9yaXR5LmNybDBxBggrBgEFBQcBAQRlMGMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQUFkZFRydXN0Q0EuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEMBQADggIBAE4rdk+SHGI2ibp3wScF9BzWRJ2pmj6q1WZmAT7qSeaiNbz69t2Vjpk1mA42GHWx3d1Qcnyu3HeIzg/3kCDKo2cuH1Z/e+FE6kKVxF0NAVBGFfKBiVlsit2M8RKhjTpCipj4SzR7JzsItG8kO3KdY3RYPBpsP0/HEZrIqPW1N+8QRcZs2eBelSaz662jue5/DJpmNXMyYE7l3YphLG5SEXdoltMYdVEVABt0iN3hxzgEQyjpFv3ZBdRdRydg1vs4O2xyopT4Qhrf7W8GjEXCBgCq5Ojc2bXhc3js9iPc0d1sjhqPpepUfJa3w/5Vjo1JXvxku88+vZbrac2/4EjxYoIQ5QxGV/Iz2tDIY+3GH5QFlkoakdH368+PUq4NCNk+qKBR6cGHdNXJ93SrLlP7u3r7l+L4HyaPs9Kg4DdbKDsx5Q5XLVq4rXmsXiBmGqW5prU5wfWYQ//u+aen/e7KJD2AFsQXj4rBYKEMrltDR5FL1ZoXX/nUh8HCjLfn4g8wGTeGrODcQgPmlKidrv0PJFGUzpII0fxQ8ANAe4hZ7Q7drNJ3gjTcBpUC2JD5Leo31Rpg0Gcg19hCC0Wvgmje3WYkN5AplBlGGSW4gNfL1IYoakRwJiNiqZ+Gb7+6kHDSVneFeO/qJakXzlByjAA6quPbYzSf+AZxAeKCINT+b72x
-----END CERTIFICATE-----
'''
return concatedCA
cadata = loadCA()
try:
url="https://stackoverflow.com/"
https_context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
https_context.verify_mode = ssl.CERT_NONE
https_context.check_hostname = False
https_context.load_verify_locations(cadata=cadata)
https_handler = urllib2.HTTPSHandler(debuglevel=1,context=https_context)
redirect_handler = SmartRedirectHandler()
opener = urllib2.build_opener(https_handler,redirect_handler)
rep=opener.open(url)
except Exception, e:
traceback.print_exc()

OpenSSL crypto error: [('PEM routines', 'PEM_read_bio', 'no start line')]

I am getting the following error when trying to read a certificate:
OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
when running OpenSSL.crypto.load_certificate(FILETYPE_PEM, filename). I have made some research but was not able to find an answer specific to my case.
I tried checking if the file existed with os.path.isfile(filename) which returns True, but loading the certificate ONLY raises the error above.
Also, when executing on the terminal openssl X509 -in file.pem, it works like a charm.
The file.pem looks like this:
-----BEGIN CERTIFICATE-----
<<sensitive data>>
-----END CERTIFICATE-----
It seems to be valid since I able to perform basic openssl operations on the terminal. I am running CentOS 7, if that helps.
Any ideas?
Thanks!

According to http://www.pyopenssl.org/en/stable/api/crypto.html#OpenSSL.crypto.load_certificate,load_certificate() takes a buffer (string will do) containing the certificate, not a filename.
Your need to do:
with open(filename, "r") as my_cert_file:
my_cert_text = my_cert_file.read()
cert = load_certificate(FILETYPE_PEM, my_cert_text)

Fail to validate URL in Facebook webhook subscription with python flask on the back end and ssl

I'm trying to start using new messenger platform from FB.
So i have server with name (i.e.) www.mysite.com
I got a valid SSL certificate for that domain and apache is setup correctly - all good.
I have a python code on my server which runs flask and i point it to these certificates I got for the server:
from flask import Flask, request
from pymessenger.bot import Bot
import requests
import ipdb
from OpenSSL import SSL
app = Flask(__name__)
TOKEN = "<access_token>"
bot = Bot(TOKEN)
#app.route("/webhook", methods = ['GET', 'POST'])
def hello():
if request.method == 'GET':
if (request.args.get("hub.verify_token") == "my_awesome_token"):
return request.args.get("hub.challenge")
if request.method == 'POST':
output = request.json
event = output['entry'][0]['messaging']
for x in event:
if (x.get('message') and x['message'].get('text')):
message = x['message']['text']
recipient_id = x['sender']['id']
bot.send_text_message(recipient_id, message)
else:
pass
return "success"
if __name__ == "__main__":
# tried this - no luck
#context = SSL.Context(SSL.SSLv23_METHOD)
#context.use_privatekey_file('/home/mysite.com.key')
#context.use_certificate_file('/home/intermediate.crt')
# tried this - also same result
context = ('/mysite.com.crt', '/mysite.com.key')
app.run(host='www.mysite.com',port=5002, debug=True, ssl_context=context)
It starts without error and if I navigate with my browser - i see it gets connections.
port 5002 is open inf my firewall.
But when I go to FB and try to subscribe to that URL - it keeps failing with this error:
The URL couldn't be validated.
Callback verification failed with the following errors: curl_errno = 60;
curl_error = SSL certificate problem: unable to get local issuer certificate;
HTTP Status Code = 200;
HTTP Message = Connection established
I've read half the internet on the possible reasons and saw many different suggestions, but I can't make any of those work - i end up with the same result 95% of the time. 5% - some other error due to Flask bugging out with some "crazy" settings I try.
What can be wrong? I'm using certificate files which I got from COMODO.
Also tried in the call back url to use /webhook - no luck either. same error.

As mentioned in the answer above, the issue is that you do not have the issuer certificate which means that a secure connection can not be established. These certificates can be downloaded from your certificate provider, in your case Comodo. Once you have them you need to serve both to the user so a SSL connection can be established. There are multiple ways to do depending on how you are hosting but the easiest way to do it is to concat the certificates together. The order they are concated in IS important and will cause a Key Mismatch error if done in the incorrect order. Your certificate should be first, followed by the issuer certificate and the root certificate, like this:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: Intermediate.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
This can easily be done from the CLI like this:
cat your_domain_name.crt Intermediate.crt TrustedRoot.crt > combined.crt
This command combines the 3 files in the proper order and stores the output in a new file called combined.crt.
See here for more details.

Add the issuer certificate also. Comodo will issue their own certificate. YOu need to include that while starting the server.

I use certbot and Let's Encrypt.
Follow Installing Client software.
Then run command => sudo ./certbot-auto --apache -d YOUR_DOMAIN_NAME.COM (i tried apache, nginx and flask alone, all works, no need to put https at front)
cd /etc/letsencrypt/live/YOUR_DOMAIN_NAME.COM/
context = ('/etc/letsencrypt/live/YOUR_DOMAIN_NAME.COM/fullchain.pem', '/etc/letsencrypt/live/YOUR_DOMAIN_NAME.COM/privkey.pem')
i used cert.pem instead of fullchain.pem at first and got the above error, succeed after changed cert.pem to fullchain.pem

Python OpenSSL giving handshake failure

I'm trying to update a new valid SSL cert provided by DigiCert on my python flask. The same code with the old expired cert works just fine. However for the renewed cert, it did not recognise my certificate chain and giving error:
[root#test~]# openssl s_client -connect somedomain.com:9443
CONNECTED(00000003)
140340901406536:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:744:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 249 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
The weird thing is, when i'm using openssl command to verify my cert chain, everything is working well as follow:
[root#test ~]$ openssl verify -verbose -CAfile CertChain.crt Server.crt
Server.crt: OK
This is my python code
from OpenSSL import SSL
from flask import Flask, send_file, make_response, request, jsonify, Response
from flask.ext import restful
from flask.ext.restful import reqparse, abort, Api, Resource
#------------#
context = SSL.Context(SSL.SSLv23_METHOD)
context.use_certificate_file("Server.crt")
context.use_privatekey_file("Server.key")
context.use_certificate_chain_file("CertChain.crt")
context.set_options(SSL.OP_NO_SSLv3)
context.set_options(SSL.OP_NO_SSLv2)
context.set_cipher_list('ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS')
app = Flask(__name__)
#app.route("/")
def hello():
return "Hello World!"
if __name__ == "__main__":
app.run(host='0.0.0.0', port=9443, debug=True, use_reloader=False, ssl_context=context)
And for your info key and certificate is matching with no problem
[root#test]# openssl x509 -noout -modulus -in Server.crt | openssl md5
(stdin)= adc3de807ec6a02c5ba9da89f3fe5dd5
[root#test]# openssl rsa -noout -modulus -in Server.key | openssl md5
(stdin)= adc3de807ec6a02c5ba9da89f3fe5dd5
Is there anything affecting this? Python version? OpenSSL version? My cipher? Any body can help? Thanks

SSL handshake has read 7 bytes and written 249 bytes
These are not problems of the validation of the certificate.
The clients starts the SSL handshake but the server sends only 7 bytes back, which might be an SSL alert that something is wrong. The server never sends the certificate back so it cannot be a problem of the client side validation.
This means you should better check the server side for problems and not the client side. And since you say that exactly the same code works with the old certificate it can not be a problem of protocol version or ciphers but must relate to the certificate. My guess is thus that the private key you use does not match the certificate you use, which gets not checked when you do the openssl verify.

I got the solution. Previously my certificate chain only contains the Intermediate and Root certificate which is not complete.
The solution is to also include the server certificate into the chain which is weird since context.use_certificate_file is already defined.
Anyways, the handshake is now working fine. Thanks!

Python Simple SSL Socket Server

Just trying to set up a simple SSL server. I have never had anything SSL work for me in the past. I have a loose understanding of how SSL certificates and signing.
The code is simple
import socket, ssl
context = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
context.load_cert_chain(certfile="mycertfile") ###############
bindsocket = socket.socket()
bindsocket.bind(('', 2099))
bindsocket.listen(5)
while True:
newsocket, fromaddr = bindsocket.accept()
sslsoc = context.wrap_socket(newsocket, server_side=True)
request = sslsoc.read()
print(request)
The line in there with the ###s after it is the one that isnt working. I don't know what I have to do with openssl to generate a PEM file that will work here.
Can anyone enlighten me as to how to make this simple socket work.
By the way, this is NOT used for HTTP.

you can use this command to generate a self-signed certificate
openssl req -new -x509 -days 365 -nodes -out cert.pem -keyout cert.pem
the openssl framework will ask you to enter some information, such as your country, city, etc. just follow the instruction, and you will get a cert.pem file. the output file will have both your RSA private key, with which you can generate your public key, and the certificate.
the output file looks like this:
-----BEGIN RSA PRIVATE KEY-----
# your private key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
# your certificate
-----END CERTIFICATE-----
just load it, and the ssl module will handle the rest for you:
context.load_cert_chain(certfile="cert.pem", keyfile="cert.pem")
btw, there is no "SSLContext" in python2. for guys who are using python2, just assign the pem file when wrapping socket:
newsocket, fromaddr = bindsocket.accept()
connstream = ssl.wrap_socket(newsocket,
server_side=True,
certfile="cert.pem",
keyfile="cert.pem",
ssl_version=YOUR CHOICE)
available ssl version: ssl.PROTOCOL_TLSv1, ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_SSLv3, ssl.PROTOCOL_SSLv23. if you have no idea, ssl.PROTOCOL_SSLv23 may be your choice as it provides the most compatibility with other versions.

In your example, you provide a certfile, but no keyfile. Both are required.