This question is closely related to my other question: Python `urllib3`: sudden "certificate verify failed: certificate has expired" error.
For some reason it seems like my attempts at provide the correct hostname for SNI do not succeed. This manifested first in the proxy in the linked question, as without properly working SNI it can't successfully validate certificates. Then as I went onto debugging the issue using an installation of OpenSSL (separate from Python and the system) it also displays the same signs. I decided to see if at least Node.js correctly works with SNI using this script, but no luck:
fs = require('fs/promises');
tls = require('tls');
const [,, host, port, file] = process.argv;
const socket = tls.connect({
host, port,
servername: host,
rejectUnauthorized: false,
}, async () => {
const cert = socket.getPeerCertificate(false);
result = tls.checkServerIdentity(host, cert) ? 'No.' : 'Yes.';
console.log('Valid for', cert.subjectaltname + '?', result);
//await fs.writeFile(file, cert.raw)
socket.destroy()
});
I think this output does a good job showcasing the issue:
> node .\sni-helper.js i.sstatic.net 443 test.tmp
Valid for DNS:*.sstatic.net, DNS:sstatic.net? No.
A dozen of other hostnames likewise do not seem to be properly reflected in the provided certificates.
My configuration:
Did anybody else have this problem? I have no idea where to go with this, other than maybe filing an issue in the OpenSSL repo, but I may simply failed at correctly setting my clients up overlooking something blatantly obvious, so I'd like to check with you guys first.
Turned out NetLimiter 4 is to blame. When weeding out the causes I did initially suspect it, but the problem persisted through a brief time I turned the system service off, so I figured it must be something else. But I didn't know back then it also installs a driver that keeps working independently of the service. Once I realized that (took me a long time admittedly) I fully uninstalled the program and now the problem is gone.