The Secure Sockets Layer (SSL) is an integral component in securing communication over the internet. Python, being a versatile and widely-used programming language, heavily depends on SSL in securing interactions with APIs, databases, and web services.
However, during implementation, developers are often challenged by various SSL-related problems that may disrupt operations and jeopardize security.
This article covers the most common issues encountered with SSL in Python, from verification failures to errors in module compatibility, and provides solutions.
Such knowledge of challenges and fixes will help developers enhance security and reliability in their Python applications. Whether you are troubleshooting expired certificates or just trying to fix a handshake, this guide has you covered.
Most Common 15 SSL Issues on Python Its Solutions
1. SSL Certificate Verification Failure
An SSL certificate verification failure is a very simple case where Python’s SSL library was unable to verify the authenticity of an SSL certificate that was presented by a server.
It most commonly arises while working with any of the services such as MySQL databases, web servers, or APIs and mostly stems from problems within the CA trust chain. Most of the problem, however, is due to missing a trusted Certificate Authority in a CA trust store.
A trust store is actually what Python uses to verify certificates for server-side and if one of the trusted CAs is missing it simply causes the whole verification process to fail.
Not to mention errors that come from using certificates issued by an untrusted CA or even self-issued certificates which are quite common in the development environment. The other is the certificate that has either expired or even revoked.
Its legitimacy has been brought into question through the issuing Certificate Authority, though it was once trusted. To deal with SSL certificate verification failures, solutions exist.
2. SSL Certificate_VERIFY_FAILED Error
CERTIFICATE_VERIFY_FAILED is undoubtedly the most common SSL-related error in a Python application.
It arises from an inability to verify the authenticity of an SSL certificate issued by a server from the SSL module within Python, which indeed is supposed to make secure connections.
It is more often experienced with libraries like urllib and requests especially while the certificates are self-signed or issued by unknown Certificate Authorities (CAs).
All typical development environments use self signed certificates, where a certificate that is valid and therefore trusted is not implemented at all; however, it failed in a Python SSL module when the selfsigned certificate entered because such identification is not found for a Certificate Authority.
In most cases, it is due to the fact that there are not enough root CA certificates required by the trust store of the local environment.
This could be because the environment might have an outdated bundle or is trying to connect to a server whose certificate is not known to the system.
Python raises this error when it has a certificate that cannot be validated; hence it will not allow safe communication and will raise security concerns.
3. Module Not Found SSL
If the SSL module is not available, this implies that Python’s installation does not support SSL. Most of the time, this arises when OpenSSL is missing from your system or when Python has been compiled without SSL capabilities.
The solution to this problem is to ensure OpenSSL is installed by downloading either the libssl-dev or openssl-devel package on Linux.
For Windows users, reinstalling Python using an installer that includes SSL support will most of the time solve the problem and make the SSL module available.
4. SSL: CERT_COMMON_NAME_INVALID Error
This error happens because the COMMON_NAME of the server certificate does not match with the domain accessed. For example, accessing https://api.example.com using a certificate issued for https://example.com will cause this mismatch to throw this error.
One can resolve this issue by checking whether the hostname matches with the CN or the SAN of the certificate. Then, if possible, you can request for issuance of a certificate that contains all the necessary subdomains on your server.
Customizing the SSLContext to disable hostname verification would have addressed the problem, although this is not recommended in production.
5. Older SSL/TLS Protocols
Most modern servers disable older protocols like SSL 2.0 and 3.0. To upgrade your connection from older protocols like TLS 1.2 or TLS 1.3 would serve as a solution to this problem.
Now in your Python code, configure your SSLContext to one of the more secure protocols like the ones available: ssl.PROTOCOL_TLSv1_2 and ssl.PROTOCOL_TLSv1_3.
Then your connection would be allowed in most secure servers which may deny your connection through other less secure protocols with them.
6. SSL: CERTIFICATE_EXPIRED Error
This would make the connection insecure as it is an expired server certificate, and it results in an SSL error. If it is in your team’s control, renew it as soon as possible. If not, ask the administrator to renew SSL Certificate or change the endpoint.
For now, one can bypass verification using Python by setting verify=False but that should be avoided in sensitive data handling or during the production process.
7. Hostname Mismatch Errors
SSL certificates should match the hostname used by the client for verification purposes. In case of a mismatch, the SSL library will raise an error. This can be fixed by ensuring that the hostname is covered by the SSL certificate.
Wildcard or SAN certificates should be used if connecting to multiple subdomains. For added flexibility, configure SSLContext carefully if connecting to multiple hosts, but proceed with caution since this reduces security.
8. SELF-SIGNED CERTIFICATES ERROR
Python, by default, does not trust self-signed certificates. Due to this, it brings SSL errors. The problem may be solved by adding the certificate to your system’s CA store. Or, you pass the path to the requests library with the verify parameter.
You may choose to skip verification using verify=False if this is allowed in your application. It is not recommended as it will compromise connection security.
9. SSLContext Configuration Problems
SSL Connections Fail Most Likely Due To Errors, Incomplete Setup Of the SSLContext Use ssl.create_default_context() when generating a secure context for the SSL and make sure there is a trusted CA bundle.
Fine-tune as necessary the SSLContext configurations. For example, select only modern protocols and establish explicit certificate paths when calling databases or other external services.
10. Handling SSL Warnings
Python often produces SSL warnings indicating an insecure configuration or outdated protocol.
Warnings like this can be overcome by updating your SSL/TLS libraries to the latest version and configuring SSLContext properly. If these warnings do not pose a security risk, they can be suppressed with care if they continue.
11. SSL Error in Requests Library
Requests for Python strictly validate certificates; hence, in most cases, this causes SSL errors when certificates have expired, self-signed, or don’t have a trusted CA.
This can be rectified by setting the verify parameter to a valid bundle of CAs or path to a specific certificate. It is sometimes used temporarily for false bypass verification in production usage majorly because of security threats.
12. Issues with Proxy SSL Certificate
Sometimes, a proxy’s place to intercept SSL traffic can cause verification errors through the use of an SSL certificate that isn’t trusted. Either way, adding an SSL certificate of a proxy to a trusted CA bundle of Python or asking for suitable and necessary certificates from a network administrator is appropriate.
13. Insecure and Weak Cipher Suites for SSL/TLS
This means weak cipher suites will allow for attacks to come in through the door. The door can be left open by creating a context set_ciphers containing modern options which set an SSLContext to only permit a secure cipher suite. OpenSSL must be upgraded so that it holds the latest possible secure ciphers.
14. SSL: UNABLE_TO_GET_ISSUER_CERT_LOCALLY
UNABLE_TO_GET_ISSUER_CERT_LOCALLY is the error message which says python is unable to find the issuer in the CA store.
This is due to either wrong permission or incorrect address for the certificates. An issuer certificate must be there inside a CA bundle, and certifi should be applied to have trusted CA certificates.
15. SSLHandshakeException
Failures in SSL/TLS handshake are most times due to incompatible protocols and configuration mistakes from certificates.
In a bid to resolve and perhaps eradicate such issues, it would make much sense if the SSLContext were to support certain versions of the TLS protocol in question while having the facility of disabling some cipher suites suspected to be the reasons of the issues in question.
To really pinpoint what exactly is the cause of failure in handshakes one has to use some kind of debugging tools like, for instance, openssl or ssldump because such tools diagnose the issue and ensure the server-side configuration and the client side get perfectly in sync.
Top comments (0)