I am consuming Ebay Trading APIs using Ebay python sdk which is eventually sing python-requests for making API calls.
All was working fine, but since last few days I am unable to make call. I am getting error:
SSLError: bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)
Here is complete traceback:
In [9]: response = api.execute('GetSessionID', data)
---------------------------------------------------------------------------
SSLError Traceback (most recent call last)
<ipython-input-9-eb33610c2a7f> in <module>()
----> 1 response = api.execute('GetSessionID', data)
/home/debian/.virtualenvs/myvirtualenv/local/lib/python2.7/site-packages/ebaysdk/connection.pyc in execute(self, verb, data, list_nodes, verb_attrs, files)
117
118 self.build_request(verb, data, verb_attrs, files)
--> 119 self.execute_request()
120
121 if hasattr(self.response, 'content'):
/home/debian/.virtualenvs/goplaces/local/lib/python2.7/site-packages/ebaysdk/connection.pyc in execute_request(self)
182 proxies=self.proxies,
183 timeout=self.timeout,
--> 184 allow_redirects=True
185 )
186
/home/debian/.virtualenvs/myvirtualenv/local/lib/python2.7/site-packages/requests/sessions.pyc in send(self, request, **kwargs)
574
575 # Send the request
--> 576 r = adapter.send(request, **kwargs)
577
578 # Total elapsed time of the request (approximately)
/home/debian/.virtualenvs/myvirtualenv/local/lib/python2.7/site-packages/requests/adapters.pyc in send(self, request, stream, timeout, verify, cert, proxies)
431 except (_SSLError, _HTTPError) as e:
432 if isinstance(e, _SSLError):
--> 433 raise SSLError(e, request=request)
434 elif isinstance(e, ReadTimeoutError):
435 raise ReadTimeout(e, request=request)
SSLError: bad handshake: Error([('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')],)
There are many related question on StackOverflow, all which says:
I can not do this because:
Also,
I have no knowledge why this is happening.
Why SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed'
is in traceback, when I have disabled SSL3. (I have no deep knowledge about SSL).
Thank you!
# openssl version
OpenSSL 1.0.2e 3 Dec 2015
Upgraded to openssl 1.0.2 from 1.0.1 by building from source after @Steffen Ullrich's suggestion.
$ pip freeze | grep -i ssl
backports.ssl-match-hostname==3.4.0.2
pyOpenSSL==0.15.1
My guess is this is related to Python Urllib2 SSL error, i.e. a problem of multiple trust path in the underlying implementation of OpenSSL. See there for the details of the problem.
To fix this without making changes to your trusted CA's you would need to have a fixed OpenSSL, i.e. OpenSSL 1.0.2. Or you could add some of the older CA certificates back to your trust store.
- pass argument verify=False
- pass CA certificate
- append you CA certificate in cacert.pem file (I tried this, didn't work)
... This is bad in security point of view.
While verify=False
is bad for security because it disables validation the other options are not bad because they only add additional trust anchors but keep validation enabled.
Why SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed' is in traceback, when I have disabled SSL3.
Even if it talks about SSLv3 there it does not mean it. TLS and SSLv3 share a lot of functionality, i.e. TLS 1.0 is actually SSL 3.1. Thus lots of the SSL3_*
functions in the OpenSSL code are used with TLS 1.x too which causes these irritating messages.