1

I am attempting to connect to a socket using the following code

    import ssl, socket
    ctx = ssl.create_default_context()
    s = ctx.wrap_socket(socket.socket(), server_hostname='theguardian.co.uk')
    s.connect(('theguardian.co.uk', 443))

With the patch given at App Engine socket invalid argument this works on the development server perfectly. However, when deployed (to my billing-enabled app) it fails with the following error:

(<class 'ssl.SSLError'>, SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:591)'), <traceback object at 0x107bd918>)

I realise sockets are in beta on GAE - but I would have thought that if it works on the dev server (albeit with the patch) it'd work when deployed. What am I missing?

The full traceback is as follows:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:591)
Traceback (most recent call last):

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.1/webapp2.py", line 1536, in __call__
  rv = self.handle_exception(request, response, e)

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.1/webapp2.py", line 1530, in __call__
  rv = self.router.dispatch(request, response)

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.1/webapp2.py", line 1278, in default_dispatcher
  return route.handler_adapter(request, response)

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.1/webapp2.py", line 1102, in __call__
  return handler.dispatch()

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.1/webapp2.py", line 572, in dispatch
  return self.handle_exception(e, self.app.debug)

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/webapp2-2.5.1/webapp2.py", line 570, in dispatch
  return method(*args, **kwargs)

File "/base/data/home/apps/[REDACTED]/main.py", line 32, in get
  s.connect(('theguardian.co.uk', 443))

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/ssl-2.7.11/ssl.py", line 839, in connect
  self._real_connect(addr, False)

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/ssl-2.7.11/ssl.py", line 830, in _real_connect
  self.do_handshake()

File "/base/data/home/runtimes/python27/python27_lib/versions/third_party/ssl-2.7.11/ssl.py", line 803, in do_handshake
  self._sslobj.do_handshake()

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:591)

Edit

I've read the restrictions at https://cloud.google.com/appengine/docs/python/sockets/#limitations_and_restrictions and it's specified that

You cannot bind to specific IP addresses or ports

is the inclusion of port 443 the cause of this error - and if so how do I get around it considering that connect() requires it?

Community
  • 1
  • 1
user714852
  • 2,054
  • 4
  • 30
  • 52
  • You *might* be looking at the wrong limitation reason: you're using `connect()`, `not `bind()`. How about: "Private, broadcast, multicast, and Google IP ranges (except those whitelisted below), are blocked", maybe try some other server? – Dan Cornilescu Feb 03 '17 at 14:32
  • Hey - thanks for responding. I've tried it with less exotic domains (my own domain which has a letsencrypt cert) but still get the same error. – user714852 Feb 03 '17 at 14:56

0 Answers0