I am trying to connect to SSL based host, using Python Sockets wrapped with SSL.
When I try to connect using openssl client, I am successfully able to connect over ssl and receive response:
On Terminal,
openssl s_client -tls1_1 -connect epptestv3.iis.se:700 -key privateKey.pem -cert certificate.pem -CAfile root_certificate.pem
But In Python,
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(60) # regular timeout
sock = ssl.wrap_socket(sock, "privateKey.pem", "certificate.pem",
server_side=False,
cert_reqs=ssl.CERT_REQUIRED,
ca_certs="root_certificate.pem",
ssl_version=ssl.PROTOCOL_TLSv1_2,
ciphers='AES256-SHA')
sock.connect(('epptestv3.iis.se', 700))
I am getting following error:
sock.connect(('epptestv3.iis.se', 700))
File "/usr/lib/python2.7/ssl.py", line 866, in connect
self._real_connect(addr, False)
File "/usr/lib/python2.7/ssl.py", line 857, in _real_connect
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 830, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
I am not getting why it is throwing error while both key and certificate files are same in both cases? Please suggest appropriate solution.
Following is openssl debug log, which might be helpful:
openssl s_client -tls1_1 -connect epptestv3.iis.se:700 -key privateKey.pem -cert certificate.pem -CAfile root_certificate.pem
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Domain Validation Secure Server CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Issued through Stiftelsen f\C3\B6r Internetinfrastruktur E-PKI Manage, OU = COMODO SSL, CN = epptestv3.iis.se
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=Issued through Stiftelsen f\xC3\xB6r Internetinfrastruktur E-PKI Manage/OU=COMODO SSL/CN=epptestv3.iis.se
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFoDCCBIigAwIBAgIQbChcoPxJBdsCfcui549W/DANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNTExMjMwMDAwMDBaFw0xNjEyMjkyMzU5NTlaMIGfMSEwHwYDVQQLExhE
b21haW4gQ29udHJvbCBWYWxpZGF0ZWQxSjBIBgNVBAsMQUlzc3VlZCB0aHJvdWdo
IFN0aWZ0ZWxzZW4gZsO2ciBJbnRlcm5ldGluZnJhc3RydWt0dXIgRS1QS0kgTWFu
YWdlMRMwEQYDVQQLEwpDT01PRE8gU1NMMRkwFwYDVQQDExBlcHB0ZXN0djMuaWlz
LnNlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7NM/dsKMr5PSLySm
TUBy5VHi4pECfZZNdvjpXB7WqUC029Ue/rn+TeqcRNLs3SM3liuSXPkhrpHgIWsF
5DsKxwGqh+psudkYJSK0jKq28DlXnn8dHX5m2c+c8PMorrdN/2ZgfNbWqpb00Dq7
0RhQqRbUtYfRRtndfk2hmDRZfbjhYuzakmnUlezLyoCjJ0euMl2n2cXWRYE+lokG
t81JFm9Cfj8jUXW5KaEWCmcshRC+3nQjQlC/HeD7d8rhebkTO0N3ilDNcHYJsqQP
MmwgexxrYYLd8DdUL9mTDfoKOuzgPU6BR78AT1uCALLBsNIawER2sI2rhncQZ0wV
FxBb7wIDAQABo4IB4zCCAd8wHwYDVR0jBBgwFoAUkK9qOpRaC9iQ6hJWc99DtDoo
2ucwHQYDVR0OBBYEFBLoktspsuhAAykZCOCWaEgDxKoHMA4GA1UdDwEB/wQEAwIF
oDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBP
BgNVHSAESDBGMDoGCysGAQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8v
c2VjdXJlLmNvbW9kby5jb20vQ1BTMAgGBmeBDAECATBUBgNVHR8ETTBLMEmgR6BF
hkNodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9DT01PRE9SU0FEb21haW5WYWxpZGF0
aW9uU2VjdXJlU2VydmVyQ0EuY3JsMIGFBggrBgEFBQcBAQR5MHcwTwYIKwYBBQUH
MAKGQ2h0dHA6Ly9jcnQuY29tb2RvY2EuY29tL0NPTU9ET1JTQURvbWFpblZhbGlk
YXRpb25TZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3Nw
LmNvbW9kb2NhLmNvbTAxBgNVHREEKjAoghBlcHB0ZXN0djMuaWlzLnNlghR3d3cu
ZXBwdGVzdHYzLmlpcy5zZTANBgkqhkiG9w0BAQsFAAOCAQEAbCyk+7IhFZOLxFLn
Nqu46zq4DSZntyLQh53AO3I36845PxSoX4aBo1xPdz8Dy6wIKklTcD4jgYlYYUDD
K6uP7kpIYswH4OGoCbca4Jh5YWiINUlm6RT5CAYm5K/FB30jIpqjepQg2x7KwTjY
9evYf6urY17ShafKpAewrzVe0rK5d8il+AcovKk5QXnHcydicIcEdUHdzu4tPcfW
4MvtQpv2ZeaofxEKPH8K9aXUPp4c9l3e32PHbhqiaoirsB53WDs+G9fzNxaL6O99
HOCg7EMvdiScEaBs+7NlxLMQTg/P9G/+UAyaim3nCgf0ptCNLGkE3g5pWou5rIwp
KQTNVQ==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=Issued through Stiftelsen f\xC3\xB6r Internetinfrastruktur E-PKI Manage/OU=COMODO SSL/CN=epptestv3.iis.se
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
---
SSL handshake has read 6425 bytes and written 5050 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : AES256-SHA
Session-ID: 066A733D13B86DFABC101E44DA2685AD95C8DF25C97D246B139593E1C3FD44E5
Session-ID-ctx:
Master-Key: 1723668A7339631D1667C2B3B3E736BB165FA1752D0BBE8A3FE4AA5D1C7007D6A7277443B4672BB1A5A120E8FF783B11
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e4 89 33 38 f7 3f 89 aa-ba a7 7a 6f 67 3c 89 09 ..38.?....zog<..
0010 - 96 e3 90 3d a7 63 e7 70-a9 c3 de 91 e0 f3 30 e5 ...=.c.p......0.
0020 - 62 99 78 2a 7d 37 5a fe-ff 31 65 de 34 7a 91 70 b.x*}7Z..1e.4z.p
0030 - ef 55 d3 07 96 d6 47 18-40 22 da 7a 4b 35 1b ee .U....G.@".zK5..
0040 - 6a eb 15 4a 07 f0 b3 5e-99 21 ad a9 b6 df 28 05 j..J...^.!....(.
0050 - 1b 1e 4b de 54 7c 5b 29-5d a8 a3 c2 3b e6 82 4e ..K.T|[)]...;..N
0060 - c8 d5 76 b5 7c 64 31 59-10 f0 61 1e 9a df 1c 42 ..v.|d1Y..a....B
0070 - 8b d3 f8 a7 73 da 06 fc-3f df 02 d6 01 05 fa a7 ....s...?.......
0080 - 3b 92 4b fd e5 03 41 24-26 b8 a7 12 c5 9a 9c 7c ;.K...A$&......|
0090 - dc 36 75 69 bd 61 c4 27-43 5b df bb 19 80 2a 9c .6ui.a.'C[....*.
00a0 - d3 bf 5f 8b f6 e2 3d 0e-2e d2 cc a7 d0 5e 52 48 .._...=......^RH
00b0 - ff e6 a1 fe 02 3f 8e 78-c2 15 ad cb 9a 11 e9 03 .....?.x........
00c0 - 0e 80 0e b8 10 2b 4a 85-82 bd ef d2 9d 3d 74 89 .....+J......=t.
00d0 - 65 2d 94 f6 2c b8 c1 a2-5c c5 34 72 13 3e b0 75 e-..,...\.4r.>.u
00e0 - fd 11 e2 9b 65 d5 48 b6-80 15 90 d6 df e2 05 21 ....e.H........!
00f0 - 01 1f 34 2b 6b 3a 7a 8c-07 53 f1 b0 fb b3 95 b2 ..4+k:z..S......
0100 - c3 07 d1 5b 7c 13 4b cb-78 5d 59 5b 66 94 d6 11 ...[|.K.x]Y[f...
0110 - 06 6c b0 9f b2 d1 78 a0-37 9a 9e bf 9d 90 54 ad .l....x.7.....T.
0120 - 83 51 70 b2 7f 7f 76 e9-47 eb 75 9f 70 7c 26 36 .Qp...v.G.u.p|&6
0130 - a6 42 f3 c1 08 05 8a 59-32 a2 c6 71 50 4a 48 ee .B.....Y2..qPJH.
0140 - 68 29 cf ec db 39 42 71-bd e0 97 7a 66 dd c3 8c h)...9Bq...zf...
0150 - f4 09 5c 2e a2 38 27 71-cd 9c f5 4f da 46 a4 0c ..\..8'q...O.F..
0160 - 0f b6 93 d5 97 bd e0 3b-3b 5f 2c 53 cd 0f ad b6 .......;;_,S....
0170 - a8 12 27 ba bb 5f 56 da-8e 14 f0 31 82 2f e0 90 ..'.._V....1./..
0180 - 72 41 65 77 96 b6 7b 35-5b 68 92 29 56 8d b9 3e rAew..{5[h.)V..>
0190 - 77 6c b5 44 12 fb da bd-c1 d9 62 bd af 4d 61 18 wl.D......b..Ma.
01a0 - 20 de 49 53 3b d6 4b 07-68 06 74 db 32 11 fc 26 .IS;.K.h.t.2..&
01b0 - f0 64 37 7f 68 9a c3 09-01 69 ec c1 1d bb 2d a8 .d7.h....i....-.
01c0 - 81 fd 0e bf 84 a8 71 25-bf d8 07 54 14 8c 18 60 ......q%...T...`
01d0 - 20 66 14 bb 18 e5 96 fd-14 40 2a a2 30 74 18 a5 f.......@*.0t..
01e0 - 1b 61 ea 9f 24 9f 25 b3-1f ca 25 c4 19 56 bc aa .a..$.%...%..V..
01f0 - 32 b6 a5 3b fe 09 3c de-24 3b c8 b9 89 a7 13 2e 2..;..<.$;......
0200 - a4 fc f4 df a8 3c 58 f3-d8 10 ae ff b1 77 4d 4c .....<X......wML
0210 - 7e 6a f4 a2 22 32 81 fa-cd 65 0a b3 d9 04 49 20 ~j.."2...e....I
0220 - 8c 39 91 f9 bd e7 24 4d-47 7e 13 0a 6e a2 96 0d .9....$MG~..n...
0230 - b5 cd 11 6f b1 7d c3 7b-59 4c 9f ec 8c a5 93 64 ...o.}.{YL.....d
0240 - ce 09 9c 64 55 58 41 ad-e1 b2 63 a4 c9 cb bb c0 ...dUXA...c.....
0250 - 04 70 e6 65 b5 18 85 b3-e1 fb 0c fe 81 42 81 c9 .p.e.........B..
0260 - dc 94 10 12 8f 19 9b a7-e1 92 9d ba b4 28 93 ad .............(..
0270 - 9f 5d 63 af b7 32 3f 07-53 15 c2 20 f5 fa e6 06 .]c..2?.S.. ....
0280 - 1b 77 ec 88 15 94 7b 7d-a3 2f 72 24 00 54 21 96 .w....{}./r$.T!.
0290 - 95 4b fb 6f d3 e5 9d 83-a7 c8 27 92 0c 62 a6 4b .K.o......'..b.K
02a0 - 1e b3 45 fe e2 74 25 0d-9e 59 bf 1a 84 fb 59 13 ..E..t%..Y....Y.
02b0 - 8b df 43 08 74 99 5e 83-8a a5 51 73 a1 33 29 ce ..C.t.^...Qs.3).
02c0 - a5 ce 13 d7 50 a4 87 2b-2e 13 f4 db 11 96 85 ad ....P..+........
02d0 - 40 3e 27 f8 05 bb 50 a5-2e 3c 6d a2 4e ad 5d e1 @>'...P..<m.N.].
02e0 - e5 9c da 3a 9d 31 85 b6-4a be 58 e5 4f e4 73 9b ...:.1..J.X.O.s.
02f0 - 04 d7 28 b3 5a b7 a1 79-86 50 b3 7d 76 0c b7 28 ..(.Z..y.P.}v..(
0300 - 2f ab 39 cd b2 df 79 59-77 ec 4a f6 b3 d3 a0 be /.9...yYw.J.....
0310 - 58 e1 7a f0 69 3a 3f 73-72 e2 8d de c6 d5 0d 16 X.z.i:?sr.......
0320 - e8 2d f9 03 39 11 78 07-5b 3c b0 9b 53 bd ed a3 .-..9.x.[<..S...
0330 - 08 42 75 9d 20 fa 0b 70-4e eb 31 c5 0a 4e 5a 83 .Bu. ..pN.1..NZ.
0340 - 22 06 1b 39 c6 e2 fb c5-78 96 fd 20 e6 5f a4 e6 "..9....x.. ._..
0350 - b1 ea c6 f9 6c 4b 3f 9d-2d a7 7c c8 00 b2 87 8a ....lK?.-.|.....
0360 - 88 b1 5c 8b 88 86 b4 f4-70 a3 a8 16 9e 07 e3 4f ..\.....p......O
0370 - 70 5f 77 05 79 34 44 a9-c9 0f fa 03 b4 27 a2 e6 p_w.y4D......'..
0380 - 66 3e 78 8b ed ec a0 c2-ad b6 e8 94 69 84 18 83 f>x.........i...
0390 - 46 5c f8 e9 99 f7 8f 9c-b3 e2 56 28 7f 8c f8 b0 F\........V(....
03a0 - 6d e9 f0 75 d2 4e ec e1-2b ea d5 e1 da ad 7f b7 m..u.N..+.......
03b0 - e9 84 a9 fd 39 29 29 4a-10 dc c2 61 f6 e8 d9 ac ....9))J...a....
03c0 - 2b 18 1c d4 e1 2b d1 1d-3d 4b ae 20 c7 b7 5f 2b +....+..=K. .._+
03d0 - 7d 77 b8 eb 8e 4e e5 db-4e 70 92 5f 20 6c 73 87 }w...N..Np._ ls.
03e0 - 69 4a aa 40 55 dc 23 d5-20 ef 2f 4e 15 3c f6 4d iJ.@U.#. ./N.<.M
03f0 - 6f 57 50 e2 9d 48 b4 d6-8e c5 78 ee 2b a1 47 bc oWP..H....x.+.G.
0400 - 0b a8 5d 5b 17 67 29 1f-12 fd 05 4a f7 86 df ed ..][.g)....J....
0410 - 9a ac 1d d4 22 26 11 4f-9f 1f b6 00 38 86 9f 0a ...."&.O....8...
0420 - 3b 5b 5b 8c a8 07 7c 1d-03 91 c9 91 84 63 a1 69 ;[[...|......c.i
0430 - db 01 30 dd 51 b3 2b 12-27 c9 2c c0 55 6c ba 0c ..0.Q.+.'.,.Ul..
0440 - 93 99 f5 f9 4e 32 cb 1a-03 78 80 99 df a9 c3 9c ....N2...x......
0450 - b9 a3 ca d7 00 8c f3 bc-f3 e9 4d 16 d0 e5 f6 54 ..........M....T
0460 - a8 31 97 b2 1b c9 80 49-ed cc 06 a1 c4 d9 92 8c .1.....I........
0470 - 5d fe 0f 3a 81 b7 12 3a-d6 a4 fc 5e e0 49 be e0 ]..:...:...^.I..
0480 - 17 81 ac f9 44 80 11 35-48 f7 4f c0 23 42 69 0f ....D..5H.O.#Bi.
0490 - 3d c1 87 86 d1 4b 36 0f-e6 dd 2f d0 b7 3d 9d 14 =....K6.../..=..
04a0 - a7 51 92 69 ba fe e0 04-14 9e 36 49 57 a6 c0 c4 .Q.i......6IW...
04b0 - 27 bc bb 0e b2 fb 29 2a-17 a2 8d de ac da 52 08 '.....)*......R.
04c0 - d1 e0 03 fb ad d6 d0 4b-2a 5d bb 0b 63 9f 3f a4 .......K*]..c.?.
04d0 - ff 1a ec 4c a1 41 56 06-1b f0 38 8f b4 89 7d 21 ...L.AV...8...}!
04e0 - c2 20 da 77 1d 78 0c bf-92 93 a0 54 07 d7 79 ac . .w.x.....T..y.
04f0 - e9 72 e9 9d 4a 05 4a e1-9e 8a 64 86 39 3b c0 95 .r..J.J...d.9;..
0500 - 9c 50 01 56 87 b8 3b 29-45 18 cf bf 08 bd dd 8d .P.V..;)E.......
0510 - c8 00 96 e3 4b e9 8c ac-11 3c 6c 52 b7 c0 af 1a ....K....<lR....
0520 - fe 6d 10 9d bc a5 41 f9-ce 11 13 3a 87 80 fe 1f .m....A....:....
0530 - a4 55 5b 76 6c 29 7b 6e-01 4d 9d 40 aa 72 2e 39 .U[vl){n.M.@.r.9
0540 - d7 37 52 8f 80 2f ae 96-77 93 af af 7c 2c 31 3f .7R../..w...|,1?
0550 - af bd 59 47 c8 87 9b c3-3d 54 8f 1e f0 e3 bd 86 ..YG....=T......
0560 - 39 63 b3 71 87 ed 73 f6-1e 23 1e d7 17 0f da 75 9c.q..s..#.....u
0570 - 5f 33 b0 91 f3 fe 48 f6-58 bc b0 09 90 db 04 b0 _3....H.X.......
0580 - de 18 91 f5 25 61 c4 72-5e 79 54 b3 7e b9 87 72 ....%a.r^yT.~..r
0590 - 79 7b 22 d7 39 93 ed 68-47 66 3c 17 51 86 2b 2d y{".9..hGf<.Q.+-
05a0 - f4 e4 91 66 e1 6e e0 ad-a4 7c 77 af 3c 8c 47 dc ...f.n...|w.<.G.
05b0 - 6d 46 37 58 26 5a e8 35-ed d8 c3 c9 29 72 f0 f3 mF7X&Z.5....)r..
05c0 - b2 06 51 53 85 9b c7 e0-0e 25 0c 7d c6 12 00 b2 ..QS.....%.}....
05d0 - 89 70 2f 51 6b b2 5f 6c-86 da ff 9a 24 8e 50 67 .p/Qk._l....$.Pg
05e0 - 19 11 89 54 18 92 69 e9-b0 22 0b 9f 06 dc b4 cb ...T..i.."......
05f0 - df d4 c5 14 ed 81 9d b9-a0 be 50 88 c2 0e fb 75 ..........P....u
0600 - d4 81 97 db 2a 87 05 47-dc a4 5a 7e e8 62 8b 9b ....*..G..Z~.b..
0610 - 16 a5 92 13 7c 97 a5 d4-d6 d2 77 88 ad 1c 51 53 ....|.....w...QS
0620 - 10 dd 33 19 64 7c 4f 7c-1f a8 0d de 9e 10 4c 57 ..3.d|O|......LW
0630 - 98 19 9e 4c d4 2f d2 71-2e ef 2c a1 65 07 b2 dc ...L./.q..,.e...
0640 - 77 ef 5c 5b 3d 56 c1 1b-78 67 97 87 07 b5 0c 45 w.\[=V..xg.....E
0650 - 80 69 a4 b1 15 d7 8c 1b-88 8d 7c 29 b6 db 17 fc .i........|)....
0660 - 23 67 5f 1e 7c 3d c1 de-c2 0b 00 51 24 f6 9c f0 #g_.|=.....Q$...
0670 - 96 e7 41 3d b4 2f b4 7e-27 38 20 a1 4b 7d 02 c3 ..A=./.~'8 .K}..
0680 - 84 f6 20 fa c7 a6 1c eb-b3 22 eb 18 8e a4 60 18 .. ......"....`.
0690 - b1 88 20 6e 76 9a 77 a3-a5 9d 62 10 24 b3 c8 b6 .. nv.w...b.$...
06a0 - 0f 80 5e 26 58 a4 e2 e8-9b b2 e1 a4 77 a6 58 bd ..^&X.......w.X.
06b0 - 03 1f 50 8d e4 26 8f ef-fd 5d 21 fb 19 8b 1a d2 ..P..&...]!.....
06c0 - b6 ee 8c f4 26 48 2f 76-7f b2 da 42 28 cb 58 27 ....&H/v...B(.X'
06d0 - 65 cb c5 ec 04 ee 95 2b-c3 59 46 ed f3 6f 46 2a e......+.YF..oF*
06e0 - da 49 86 9b e1 f1 cb e5-4f cd 72 d8 4c 31 61 a0 .I......O.r.L1a.
06f0 - 46 99 55 69 17 c7 98 d0-9d e2 02 f1 b7 19 23 fc F.Ui..........#.
0700 - 69 18 ec 99 50 b8 c7 d6-ef dd eb 45 a2 d2 ee 8d i...P......E....
0710 - 4b ef e2 3a 2e 5d 66 f2-a5 7e f2 26 a2 d6 7b ba K..:.]f..~.&..{.
0720 - b5 db e6 d3 29 82 90 4e-76 cb 37 71 97 a9 a8 a0 ....)..Nv.7q....
Start Time: 1477246014
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<epp xsi:schemaLocation="urn:ietf:params:xml:ns:epp-1.0 epp-1.0.xsd" xmlns="urn:ietf:params:xml:ns:epp-1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<greeting>
<svID>epp.iis.se</svID>
<svDate>2016-10-23T18:06:55.0Z</svDate>
<svcMenu>
<version>1.0</version>
<lang>en</lang>
<objURI>urn:ietf:params:xml:ns:domain-1.0</objURI>
<objURI>urn:ietf:params:xml:ns:contact-1.0</objURI>
<objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
<svcExtension>
<extURI>urn:ietf:params:xml:ns:secDNS-1.1</extURI>
<extURI>urn:ietf:params:xml:ns:secDNS-1.0</extURI>
<extURI>urn:se:iis:xml:epp:iis-1.2</extURI>
</svcExtension>
</svcMenu>
<dcp>
<access>
<all />
</access>
<statement>
<purpose>
<prov />
</purpose>
<recipient>
<ours />
<public />
</recipient>
<retention>
<stated />
</retention>
</statement>
</dcp>
</greeting>
</epp>
The certificates you have in your root_certificate.pem are these:
Issuer: ... CN=thawte Primary Root CA
Subject: ... CN=thawte DV SSL CA - G2
--
Issuer: ... CN=thawte Primary Root CA
Subject: ... CN=thawte Primary Root CA
According to the certificate chain which is shown in the output of openssl s_client none of these certificates has anything to do with the certificate chain provided by the server. Instead you would need a certificate:
Issuer: ... CN=AddTrust External CA Root
Subject: ... CN=AddTrust External CA Root
This certificate can be found here. If you use it the python code works too.
Thus the question remains why openssl s_client worked with the wrong CA while python worked not. The reason is an unexpected and undocumented behavior of s_client: it does not use CAfile instead of the default CA storage (i.e. usually /etc/ssl/certs on Linux) but additionally. And since the root CA in question was installed on the system openssl s_client could successfully verify the servers certificate, no matter what the contents of root_certificate.pem was.
For more information about this behavior see issue#2387. It looks like that a fix for this was done "to be released post-1.0.2" although I don't find the relevant commit in the OpenSSL source code. Instead it looks like that OpenSSL 1.1.0 got the -no-CAfile and -no-CApath options to switch off validation against the default location.