what is my openssl and ssl Default CA Certs Path?

python ssl https openssl tls1.2
NoobEditor picture NoobEditor · Apr 6, 2016 · Viewed 14.1k times · Source

Background :

I am trying to create an SSL context connection with an external vendor for handshake and then communicate using an xml over that connection.

clientCert = path["cert_path"]
clientKey = path["key_path"]
PROTOCOL = ssl.PROTOCOL_TLSv1
context = ssl.SSLContext(PROTOCOL)
context.load_default_certs()
context.load_cert_chain(clientCert, clientKey)
conn = httplib.HTTPSConnection(uri, 443, context=context) 
conn.request("POST", '/', headers=headers, body=signedRequest) # code breaks here
response = conn.getresponse()

But this code breaks saying :

SSLError(1, u'[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:590)

Now, I know that the CA certificates are correctly placed on server, somewhere the path is getting messed up.

Question

How can i see what is the CA Path from which this ssl and openssl pick the CA Certs from.
Openssl seems to be making correct connection, so i need to provide the path to ssl explicitly here.

requests.utils path can be found up as below, looking for something similar to understand for context.load_default_certs()

In [1]: from requests.utils import DEFAULT_CA_BUNDLE_PATH

In [2]: print(DEFAULT_CA_BUNDLE_PATH)
/usr/local/python/path/site-packages/certifi/cacert.pem

Answer

NoobEditor picture NoobEditor · Apr 7, 2016

ok...found it :

command would be openssl version -a

[someone@somewhere ~]$ openssl  version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Thu Jul 23 19:06:35 UTC 2015
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic

There would be a value OPENSSLDIR in output, this would be the base path

OPENSSLDIR: "/etc/pki/tls"

Most of the cases, this would be a symlink, use ls -la to this OPENSSLDIR path

[someone@somewhere ~]$ ls -la /etc/pki/tls
total 32
drwxr-xr-x.  5 root root  4096 Apr  6 10:09 .
drwxr-xr-x. 11 root root  4096 Apr  4 08:47 ..
lrwxrwxrwx   1 root root    19 Apr  6 10:09 cert.pem -> certs/ca-bundle.crt
drwxr-xr-x.  4 root root  4096 Mar 22 18:15 certs

Further ls -la

[someone@somewhere ~]$ ls -la /etc/pki/tls/certs/
total 1908
drwxr-xr-x. 4 root   root      4096 Mar 22 18:15 .
drwxr-xr-x. 5 root   root      4096 Apr  6 10:09 ..
lrwxrwxrwx  1 root   root        49 Apr  6 09:54 ca-bundle.crt -> /etc/pki/ca-trust/some/path/of/cert/tls-ca-bundle.pem

and you get the actual path :

/etc/pki/ca-trust/some/path/of/cert/tls-ca-bundle.pem

Related questions

HTTPS connection Python

I am trying to verify the that target exposes a https web service. I have code to connect via HTTP but I am not sure how to connect via HTTPS. I have read you use SSL but I have also …

Read More
Requests (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.") Error in PyCharm requesting website

Using requests in Python3 Windows via Pycharm, and receiving SSL Module Not Available Error I've spent hours trying to figure out what could be causing this. I've reinstalled Anaconda, and I am completely stuck. When running the following def Earlybird(…

Read More
ssl.SSLError: tlsv1 alert protocol version

I'm using the REST API for a Cisco CMX device, and trying to write Python code which makes a GET request to the API for information. The code is as follows and is the same as that in the file …

Read More