I downloaded the source tar file for Python 3.5.1 and compiled.  Upon running make test, it fails at

test_networked_good_cert (test_httplib.HTTPSTest) ... ERROR

Abbreviated Traceback looks like:

======================================================================
ERROR: test_networked_good_cert (test_httplib.HTTPSTest)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/bennet/Python-3.5.1/Lib/test/test_httplib.py", line 1325, in test_networked_good_cert
    h.request('GET', '/')
. . . .
  File "/tmp/local/python-3.5.1/lib/python3.5/ssl.py", line 628, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)

I have replicated this on CentOS 7, RHEL 6.5, and Ubuntu 16.04 Xenial with GCC versions 4.8.5, 4.8.5, and 5.3.1, respectively.

There was a previous bug reported about expired certificates that was closed.  It appears that it's using CERT_localhost, defined at the top to be keycert.pem, and that appears to be valid:

[bennet@flux-build-centos7-dev test]$ openssl x509 -in keycert.pem -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15548457918976213582 (0xd7c7381919afc24e)
. . . .
        Validity
            Not Before: Oct  8 23:01:56 2010 GMT
            Not After : Oct  5 23:01:56 2020 GMT

I can replicate the test outside of make with the attached script.

I tried to be complete reporting and searching for this first; I apologize if I missed an obvious solution.

Just for the sake of completeness, I tested outside of the test harness.

/sw/arcts/centos7/python-dev/3.5.1/bin/python3
[bennet@flux-build-centos7-dev test]$ python3
Python 3.5.1 (default, May 11 2016, 08:50:05) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import http.client
>>> conn = http.client.HTTPSConnection("www.python.org")
>>> conn.request("GET", "/")
>>> r1 = conn.getresponse()
>>> print(r1.status, r1.reason)
200 OK

I think that indicates that it can do certificate verification of some sort and might be an indication that the issue is not with the setup but with the test.  There was some discussion of making the tests independent of connectivity in Issue25940.

There are a couple of expired certs in the test directory, but they may not be used; e.g.,

nokia.pem,
            Not After : Sep 20 23:59:59 2012 GMT
sha256.pem
            Not After : Feb 17 23:59:59 2014 GMT

I should have included this in the first submission.  Sorry for any additional mail this may generate.

After 3.5.1 was released, there were some SSL certificate changes with a server (ab)used in the test suite. See Issue 25940. The result was that I changed some tests over to use the https://self-signed.pythontest.net/ server, and I had to enable the CA flag in its certificate (https://hg.python.org/pythontestdotnet/rev/1882edb402ab).

A workaround might be to grab the updated Lib/test/selfsigned_pythontestdotnet.pem file, and perhaps some of the other changes made in Issue 25940 if necessary.

nosy: + martin.panter
messages: + msg265439

superseder: SSL tests failed due to expired svn.python.org SSL certificate
resolution: out of date