I'm encountering an error in a Python application at a point where it's using pycurl to connect via HTTPS to a server. (Note, in this case, the "server" is another Python utility which implements a simple HTTPS server with the ssl library providing the encryption.) The "server" is providing a wildcard certificate which -- to my eye -- looks correct and looks like it should successfully verify. But pycurl is rejecting it as a mismatch.
The code segment performing the pycurl connection is:
def request_pycurl(cls, url, data, timeout):
c = pycurl.Curl()
c.setopt(pycurl.HTTPHEADER, [b'Content-Type: application/json'])
c.setopt(pycurl.SSL_VERIFYPEER, 0)
c.setopt(pycurl.SSL_VERIFYHOST, 2)
c.setopt(pycurl.TIMEOUT, timeout)
if data is not None:
c.setopt(pycurl.POSTFIELDS, data)
c.setopt(pycurl.URL, url.encode('utf-8'))
buf = io.BytesIO()
c.setopt(pycurl.WRITEFUNCTION, buf.write)
c.perform()
return buf.getvalue()
The server certificate, generated in OpenSSL, has the common name *.*.*.mycompany.com with DNS SANs covering the spread of mycompany.com , *.mycompany.com , etc. all the way up to the three extra levels in the common name. ("mycompany" here is an intentional redaction.) The actual connection request's URL involves five elements.
When I run the app, the error that bubbles back up to the error logging function is:
error(60, "SSL: certificate subject name (*.*.*.mycompany.com) does not match target host name 'foo1.foo2.foo3.mycompany.com'")
I've done a search for any known issues relating to Pycurl and its handling of wildcard certificates, but nothing obvious came up. In the course of searching I've also come across a bit of a puzzle, in any articles where I've found the above error message text, they always cite a different error number -- 51 instead of 60.
At any rate... can anyone tell me whether there's a code change needed to make pycurl accept the wildcard certificate? Or whether there's a problem with pycurl that prevents it from handling wildcards properly?
