Skip to content Skip to sidebar Skip to footer
Home / Python / Ssl

Python Failed To Verify Any Crls For Ssl/tls Connections

Post a Comment
In Python 3.4, a verify_flags that can be used to check if a certificate was revoked against CRL, by set it to VERIFY_CRL_CHECK_LEAF or VERIFY_CRL_CHECK_CHAIN. I wrote a simple pro

Solution 1:

To check against CRL you have to manually download the CRL and put them in the right place so that the underlying OpenSSL library will find it. There is no automatic downloading of CRL and specifying the place where to look for the CRL is not intuitive either. What you can do:

  • get the CRL distribution points from the certificate. For stackoverflow.com one is http://crl3.digicert.com/sha2-ha-server-g5.crl
  • download the current CRL from there
  • convert it from the DER format to PEM format, because this is what is expected in the next step: openssl crl -inform der -in sha2-ha-server-g5.crl > sha2-ha-server-g5.crl.pem
  • add the location to the verify_locations: ctx.load_verify_locations(cafile="./sha2-ha-server-g5.crl.pem")

This way you can verify the certificate against the CRL.

Post a Comment for "Python Failed To Verify Any Crls For Ssl/tls Connections"