requests: OpenSSL.SSL.Error raised with invalid client cert and openssl 1.1.1.

In https://github.com/cherrypy/cheroot/issues/173, we discovered that with the release of cryptography 2.5, built against OpenSSL 1.1.1a, a call to requests.get with a client certificate referencing an unknown CA will raise an OpenSSL.SSL.Error not wrapped in a requests.exceptions.SSLError, whereas with cryptography < 2.5 (openssl 1.1.0), the error is wrapped.

Due to the complexities of this situation, I’ve not yet been able to put together an isolated test case that replicates the issue. It’s possible there are other factors in the cheroot test suite that are affecting this behavior.

I wanted to raise this issue here to see if the requests maintainers have some insight into this issue - either how the situation above might arise or how one might be able to simply replicate the conditions that lead to situation so further investigation could be done. Any advice is appreciated.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 15 (11 by maintainers)

Most upvoted comments

Can’t move issues cross-org (yet?) could you reopen an issue and include the exact Python, pyOpenSSL, cryptography versions and cert you’re using so I can reproduce exactly what you’re seeing? I appreciate your effort looking into this issue.

+2
sethmlarson on Feb 5, 2019

This was resolved in urllib v1.25.0.

+1
nateprewitt on Aug 7, 2021

This is probably something for urllib3 instead of requests?

+1
sethmlarson on Feb 4, 2019
Read more comments on GitHub
← requests: max-retries-exceeded exceptions are confusing
requests: Our use of urllib3's ConnectionPools is not threadsafe. →