Search code examples
pythonsocketssslssl-certificateself-signed

Python SSL socket: Accept self-signed certificates

I am traying to build a simple client-server application using pythons ssl socket module. When running the example code provided here the client side fails, returning that the certificate verification failed because of a self-signed certificate. I provide the self-signed root CA certificate with context.load_verify_locations("/home/vincent/work/CA/2/AllIO_Dev_CA_2.crt"). On the server side the certificate file also contains the servers certificate as well as the CAs self signed certificate as specified here in the correct order (1st server certificate, 2nd CA certificate). In an approach to fix the error outside of python I also added my self-signed root CA certificate to the os list of trusted CA certificates.

What do I have to do to allow for connections with a self-signed certificate? As this is just for a proof of concept buying a trusted certificate is not an option at this point of time.

server.py

import socket, ssl

def deal_with_client(connstream):
    data = connstream.recv(1024)
    # empty data means the client is finished with us
    while data:
        if not do_something(connstream, data):
            # we'll assume do_something returns False
            # when we're finished with client
            break
        data = connstream.recv(1024)
    # finished with client

context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile="/home/vincent/work/CA/2/Dev_Server_2_Chain.crt",
                        keyfile="/home/vincent/work/CA/2/Dev_Server_2.pem")

bindsocket = socket.socket()
bindsocket.bind(('vm-kubuntu-23', 10023))
bindsocket.listen(5)
while True:
    newsocket, fromaddr = bindsocket.accept()
    connstream = context.wrap_socket(newsocket, server_side=True)
    try:
        deal_with_client(connstream)
    finally:
        connstream.shutdown(socket.SHUT_RDWR)
        connstream.close()

client.py

import socket, ssl
import yaml

context = ssl.create_default_context()
context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
context.load_verify_locations("/home/vincent/work/CA/2/Dev_CA_2.crt")
print(context.get_ca_certs())
conn = context.wrap_socket(socket.socket(socket.AF_INET),
                           server_hostname="vm-kubuntu-23")
conn.connect(("vm-kubuntu-23", 10023))
cert = conn.getpeercert()
pprint.pprint(cert)
conn.sendall("Test Message 101r\n")

python3 client.py 
[{'subject': ((('commonName', 'vm-kubuntu-23'),),), 'issuer': ((('commonName', 'vm-kubuntu-23'),),), 'version': 3, 'serialNumber': '3C337F71CFD1EA6D', 'notBefore': 'Nov  3 18:27:00 2023 GMT', 'notAfter': 'Nov  3 18:27:00 2033 GMT'}]
Traceback (most recent call last):
  File "/home/vincent/work/switchFrontpanel/application/networkDemo/client2.py", line 12, in <module>
    conn.connect(("vm-kubuntu-23", 10023))
  File "/usr/lib/python3.11/ssl.py", line 1379, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python3.11/ssl.py", line 1370, in _real_connect
    self.do_handshake()
  File "/usr/lib/python3.11/ssl.py", line 1346, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1002)

Dev_CA_2.crt

-----BEGIN CERTIFICATE-----
MIIDJDCCAgygAwIBAgIIPDN/cc/R6m0wDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UE
AxMNdm0ta3VidW50dS0yMzAeFw0yMzExMDMxODI3MDBaFw0zMzExMDMxODI3MDBa
MBgxFjAUBgNVBAMTDXZtLWt1YnVudHUtMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDKrrfoFaUwL9V/EIsc+/+XV52bcvrUcL4no/QUzt0VrWuOLWl1
t08Fzs0Trvrc6Dw13Lhkzdtw/Vxn2hYLTe3XW//zcJcXjqSPC6wQnr4YYWxh0SRm
Hj4gcH3MIlX7b83ykaTx2aNvwA0CRvZP30emy4U50LMnyO2nLMuTym4gAwS9FARK
BX0sJO5TR5xAPEQ27IT7X1N6yKjfHpDGD1HKXr9QqwtpJ/Cug3hzzwcYr3qH5Ot+
IXQ5wfme/xdOcCgNSPzLPTng2raU3EfPb/F/0SRzoxt46VqL1Hb9pfLhxazqVYFE
Jk6ZJHInGDQXNAuvkHM3H5ctKbO/SvuBc1DtAgMBAAGjcjBwMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFHWcCma48vOOcyHgUA8Vql/dI91pMAsGA1UdDwQEAwIB
BjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZp
Y2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAU2AByG3zVeA3Xdy1CcWaNH6pzXYKui4+
imLgPgTO7Epx61sENoIszbTbiYvgEqJvHqE7kv2ZU45Z5yE75Dl3t5hoGxfrf5Wm
LWrEWMNLKyqJ7fEHYdPrOYu81Y1hPWKrPir5cnyHhgYSJtK7DkmBan5JGSUwKGeg
WvM3GcEUvYksCW17eJlFEnVYjQ5AZuk9Pu4R2/ElgFT4dGQcMHdktvs6iWzxy5Fc
OSCT1aZp+0p5300kszIg2GjVYLRe1Qi8ikO0JN4T8RjCp8bD9VvLB+RikutYu5fP
OOQoU3q/QxTqPmaRYG/yscgbfv7e+OqPq5Xe5K/N/SK/Cif+5SLVMA==
-----END CERTIFICATE-----

Dev_Server_2_Chain.crt

-----BEGIN CERTIFICATE-----
MIIDUjCCAjqgAwIBAgIIR0ITHughgqswDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UE
AxMNdm0ta3VidW50dS0yMzAeFw0yMzExMDMxODMwMDBaFw0yNDExMDIxODMwMDBa
MBgxFjAUBgNVBAMTDXZtLWt1YnVudHUtMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC9D3zzuArbmXHvSSHOswvD2f1Rl4dvWO8xc4aE08j16MQoZlF0
zoR4+ZT6NIKRpqXcT6sH3CYCYtLLgv0VtifPz5DjvNW/coSMiA/HtgO8f6wP8PNM
Zg0Si0O2Nn2obDVMJrb2kRKwevpjXwlzsIbHVYKvc95/Ftg0Dr6eef7M+sHDoDxo
AyOp0xC+CcWo8czXg3GroF473DG1yjhwIR8JeyxQySw2AOchts9IgJXxAqD/RxxN
6DKSsrBu1LGUIY6yRP7T/vrWq6eQ8eQYxwVYjJ2R6KK7qk48BWrgSbSVuntyMU0s
aQ5y5HByIV0ol0JsQ4a6gH1EeS5LyGkVbkEpAgMBAAGjgZ8wgZwwDAYDVR0TAQH/
BAIwADAdBgNVHQ4EFgQUfx7HNm4PuVTkGq+jM12yvtaeT+AwCwYDVR0PBAQDAgPo
MBMGA1UdJQQMMAoGCCsGAQUFBwMBMBgGA1UdEQQRMA+CDXZtLWt1YnVudHUtMjMw
EQYJYIZIAYb4QgEBBAQDAgZAMB4GCWCGSAGG+EIBDQQRFg94Y2EgY2VydGlmaWNh
dGUwDQYJKoZIhvcNAQELBQADggEBAMMkq51jSG9Qa5/NMMbglhmdpLeRCOIhE5+h
VnBAhfsJG18de225Un9Om2xmhcwOKNcBQhfrDKppNkCpr5JI5lNHp2d6K1in5Qw5
c+z4ziDCGSGypH2rezx6rNUwVvtKf1rpZo+68W1X9qyyaRGgrPUCrGiuXgpo733B
o3GX9sC0FzrCZ2e8b6chCo6gVWQW3DX6KqXYJsanqnSFpnA65TtAxMStWj/l7gWT
XdqfZ8OtxA4vYW27+WbSOgCmmMXkKGiGoRfxODp2KwbYHuyg5kLyLSJ4VxJQ2xbK
AXUIdXSXvmLxNvsSqwh+519KwknYlYR6MuEpptGxMC+B8X04VIc=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDJDCCAgygAwIBAgIIPDN/cc/R6m0wDQYJKoZIhvcNAQELBQAwGDEWMBQGA1UE
AxMNdm0ta3VidW50dS0yMzAeFw0yMzExMDMxODI3MDBaFw0zMzExMDMxODI3MDBa
MBgxFjAUBgNVBAMTDXZtLWt1YnVudHUtMjMwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDKrrfoFaUwL9V/EIsc+/+XV52bcvrUcL4no/QUzt0VrWuOLWl1
t08Fzs0Trvrc6Dw13Lhkzdtw/Vxn2hYLTe3XW//zcJcXjqSPC6wQnr4YYWxh0SRm
Hj4gcH3MIlX7b83ykaTx2aNvwA0CRvZP30emy4U50LMnyO2nLMuTym4gAwS9FARK
BX0sJO5TR5xAPEQ27IT7X1N6yKjfHpDGD1HKXr9QqwtpJ/Cug3hzzwcYr3qH5Ot+
IXQ5wfme/xdOcCgNSPzLPTng2raU3EfPb/F/0SRzoxt46VqL1Hb9pfLhxazqVYFE
Jk6ZJHInGDQXNAuvkHM3H5ctKbO/SvuBc1DtAgMBAAGjcjBwMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFHWcCma48vOOcyHgUA8Vql/dI91pMAsGA1UdDwQEAwIB
BjARBglghkgBhvhCAQEEBAMCAAcwHgYJYIZIAYb4QgENBBEWD3hjYSBjZXJ0aWZp
Y2F0ZTANBgkqhkiG9w0BAQsFAAOCAQEAU2AByG3zVeA3Xdy1CcWaNH6pzXYKui4+
imLgPgTO7Epx61sENoIszbTbiYvgEqJvHqE7kv2ZU45Z5yE75Dl3t5hoGxfrf5Wm
LWrEWMNLKyqJ7fEHYdPrOYu81Y1hPWKrPir5cnyHhgYSJtK7DkmBan5JGSUwKGeg
WvM3GcEUvYksCW17eJlFEnVYjQ5AZuk9Pu4R2/ElgFT4dGQcMHdktvs6iWzxy5Fc
OSCT1aZp+0p5300kszIg2GjVYLRe1Qi8ikO0JN4T8RjCp8bD9VvLB+RikutYu5fP
OOQoU3q/QxTqPmaRYG/yscgbfv7e+OqPq5Xe5K/N/SK/Cif+5SLVMA==
-----END CERTIFICATE-----

Remark: As these certificates are purely for testing purposes and are going to be disposed afterwards I don't mind sharing them.

Solution

  • Dev_Server_2_Chain.crt ...

    Both the server certificate and the CA certificate have the same subject of "vm-kubuntu-23". This will confuse the certificate validation process, leading to the error you see. Instead CA and server should have different subjects.