Search code examples
pythonsslhttpsopensslcas

django_cas_ng throws ssl error

I'm facing weird SSL error with django CAS client when login request redirecting to a remote CAS server (with HTTPS) for authentication. But I see remote the CAS server is generating a ticket when tried login. I'm not sure whether it's failing while request or response.

Traceback (most recent call last):
 File "/home/test/p36d19/lib/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 438, in wrap_socket
   cnx.do_handshake()
 File "/home/test/p36d19/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1638, in do_handshake
   self._raise_ssl_error(self._ssl, result)
 File "/home/test/p36d19/lib/python3.6/site-packages/OpenSSL/SSL.py", line 1378, in _raise_ssl_error
   _raise_current_error()
 File "/home/test/p36d19/lib/python3.6/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
   raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]

and settings file is 

INSTALLED_APPS = (
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'django_cas_ng',
)
AUTHENTICATION_BACKENDS = (
   'django.contrib.auth.backends.ModelBackend',
   'django_cas_ng.backends.CASBackend',
)
CAS_SERVER_URL = "https://login.cas-example.com:8443/cas/login"
CAS_REDIRECT_URL = '/login_test'

I'm running django app using runsslserver with self-certificate (and tried with the server's certificate too) on my development machine.

No luck even after setting the following environment variable (there is a bug in the requests module with SSL library)

REQUESTS_CA_BUNDLE='\tmp\app.crt'
Solution

  • It seems that your client can not verify the server certificate.

    'ssl3_get_server_certificate', 'certificate verify failed'

    This is probably to a faulty certificate or that your client does not have access to the CA certificate(s) with which the server certificate is signed.

    Check if the server certificate is valid (e.g. correct host name, not outdated, not revoked, correct certificate type, not too small RSA key length and no MD5 signatures)

    You can test the server handshake with openssl:

    openssl s_client -connect yourserver.com:443 -CAfile server-ca.crt

    Make sure the complete certificate chain which signed the server certificate is in your app.crt 'REQUESTS_CA_BUNDLE='\tmp\app.crt' (app is a strange name by the way for ca certificates)