ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed, Python sockets, ssl, gmail smtp connect

Question

I want to connect to gmail SMTP server using secure sockets. I have downloaded the mail.google.com.crt cert file by using my browser - Firefox (I simply opened a gmail.com page and then exported the certificate using my browser export cert button).

However, its seems that there is a problem, and I do not know why. when I changed mail.google.com.crt to GeoTrustGlobalCA.pem (I found it somewhere online) it worked (didnt show the erros). Am I not understand something here?

if __name__ == '__main__':

    HOST = 'smtp.gmail.com'
    PORT = 465

    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect((HOST, PORT))

    context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
    context.verify_mode = ssl.CERT_REQUIRED
    context.load_verify_locations('mail.google.com.crt')

    # check SNI extension
    if ssl.HAS_SNI:
        secure_sock = context.wrap_socket(sock, server_hostname=HOST)
    else:
        secure_sock = context.wrap_socket(sock)

    cert = secure_sock.getpeercert()
    print cert

    if not cert or ('commonName', 'smtp.google.com') not in cert['subject'][4]: raise Exception("erroe" )

    secure_sock.recv(1024)

    secure_sock.close()
    sock.close()

Answer 1

context.load_verify_locations('mail.google.com.crt')

Verify locations are expected to contain trusted CA certificates. The server certificate you've specified is no CA certificate. From the documentation:

Load a set of “certification authority” (CA) certificates used to validate other peers’ certificates ...