1

I'm writing a small SSL proxy server and keep getting ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:661) from an android app client but not a browser. I did set ssl.CERT_NONE. Here is my test code:

SSLcontext = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
SSLcontext.load_cert_chain('server.crt', 'server.key')
SSLcontext.verify_mode = ssl.CERT_NONE
SSLcontext.check_hostname = False

s = socket.socket()
s.bind(('127.0.0.1', 443))
s.listen(5)

c = s.accept()[0]
c = SSLcontext.wrap_socket(c, server_side = True)
print c.recv(1024)

Is this because of certificate pinning on the android app or I'm doing something wrong ?

Phan Thanh Duy
  • 11
  • 4

1 Answers1

0

I did set ssl.CERT_NONE

This does not affect how the client verifies the server certificate at all. The server can not instruct the client to not verify the certificate and it would be a serious security issue if the server could do this.

SSLV3_ALERT_CERTIFICATE_UNKNOWN ... from an android app client but not a browser.

It is unknown what kind of certificate you use here. If this is a self-signed one you have probably added it once as trusted to the browser or added an explicit exception - but you did not do this for the Android app. If this is a certificate issued by a public CA then you are probably missing the chain certificates. Desktop browsers often work around this server side problem while most other clients don't.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • I used a self signed certificate. I also added it to my browser and my android phone. The reason why I'm confused here is as I have googled `SSLV3_ALERT_CERTIFICATE_UNKNOWN` means that my python code rejects the client's certificate not the other way around. – Phan Thanh Duy Aug 31 '17 at 11:44
  • 1
    @logicalway: no, the client gets the server certificate, does not like it and sends this alert back to the server which then aborts the handshake and shows the alert it got. Thus somehow your Android client does not like the certificate but it is unknown why - too few information about the client and the certificate and how you've added it. – Steffen Ullrich Aug 31 '17 at 12:00