How to check (not bypass) SSL certificate with urllib2.urlopen? - python-2.7

I'm using Python 2.7.13. I'm trying to connect to https://www.python.org/ and verify its certificate using urllib2.urlopen. I'm getting "SSL: CERTIFICATE_VERIFY_FAILED" error in the process, and when I try to google the issue, I seem to get answers on how to bypass this security check. But I don't want my code to bypass it, I want it to use the certificate. Here's my code that fails:
import urllib2
from contextlib import closing
import ssl
ctx = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH, cafile = 'www.python.org.crt')
request = urllib2.Request('https://www.python.org/')
# Produces URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
with closing(urllib2.urlopen(request, context = ctx)) as response:
print response.read()
cafile = 'www.python.org.crt' is a PEM-formatted file that properly starts with -----BEGIN CERTIFICATE-----. I exported it from https://www.python.org/ using this instruction and put it into the script's working folder.

From the documentation: https://docs.python.org/2/library/ssl.html#ssl._https_verify_certificates
Starting with Python 2.7.9, httplib and modules which use it, such as urllib2 and xmlrpclib, default to verifying remote server certificates received when establishing client HTTPS connections. This default verification checks that the certificate is signed by a Certificate Authority in the system trust store and that the Common Name (or Subject Alternate Name) on the presented certificate matches the requested host.
So you don't need to anything special to verify the certificate. And you can see that because you have a validation failure, which shows you that validation is happening.
So why aren't you getting successful validation? The answer to this lies in your use of the cafile. The cafile parameter takes a file which overrides your systems default trusted certificate store. But the important thing to understand about trusted certificates the validation process isn't to check the host is in the trusted store but signed but a cert in the trusted store. So you don't need to pass in the actual server certificate, you would pass in the certificate from python.org's certificate vendors (digicert at the time of writing) .
But actually you don't even need to do this as you system should come with a large set of trusted certificates from many vendors. These vendors are audited to some extent ( Opinions vary on the extent - and this now getting off topic) and python's library will validate against this set as default if you leave the cafile parameter blank.
So you find that
>>> ctx = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH, cafile = '/tmp/python.org.cert')
>>> urllib2.urlopen("https://www.python.org/", context = ctx)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 429, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 447, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1241, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1198, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
fails, but this:
>>> ctx = ssl.create_default_context(purpose = ssl.Purpose.SERVER_AUTH,)
>>> urllib2.urlopen("https://www.python.org/", context = ctx)
<addinfourl at 140556044048504 whose fp = <socket._fileobject object at 0x7fd5c1127b50>>
works.
Finally I'd like to point you at httplib and http.client (in python 3) which are much cleaner interfaces for this sort of thing.

Related

AWS broken pipe error when uploading files bigger than 1 MB

I am a django newbie, and I inherited a django back-end with little documentation. I am making a request to said server, which is hosted on AWS. To store the files in the request we use S3.
I have found nothing on the django code that limits the size of the file uploads, and I suspect it may be AWS closing the connection because of file size.
This is the code I use, and below the error I get whenever the total size of the files is over 1 MB:
import requests
json_dict = {'key_1':'value_1','video':video,'image':,image}
requests.post('https://api.test.whatever.io/v1/register', json=dict_reg)
video is a video file ('.mov','.avi','.mp4',etc) with base64 encoding, and image is an image file ('.jpg','.png') with base64 encoding.
And this is the trace I get, ONLY when the total size is over 1 MB:
/usr/local/lib/python2.7/dist-
packages/requests/packages/urllib3/util/ssl_.py:132: InsecurePlatfo
rmWarning: A true SSLContext object is not available. This prevents urllib3
from configuring SSL
appropriately and may cause certain SSL connections to fail. You can upgrade
to a newer version of Python to solve this. For more information, see
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecurePlatformWarningTraceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 110, in
post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/api.py", line 56, in
request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line
488, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/sessions.py", line
609, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/requests/adapters.py", line
473, in send
raise ConnectionError(err, request=request)
requests.exceptions.ConnectionError: ('Connection aborted.', error(32,
'Broken pipe'))
As mentioned previously, I have not found anywhere in the django code a limit to the file size, any hints where I should be looking at?
I also did not find anything on the AWS S3 policy.
Assuming you have a Nginx to reverse proxy your HTTP requests? if yes check this link.
Also see the value set for the below value in settings for the Upload Handlers in django
FILE_UPLOAD_MAX_MEMORY_SIZE
In the end it was the nginx configuration. changing the variable client_max_body_size in the nginx.conffile from 1M to 2M did the trick.

Flask-JWT generates error when Debug=False

I am playing around with Flask. I have created an API using Flask-Restful and Flask-JWT. When Debug=True in Flask, and I do not send the Authorization Header, I get the response as However, when the debug=False, the response returned is Internal Server Error with this stack trace,
[2017-01-19 19:43:10,753] ERROR in app: Exception on /api_0_1/deals [GET]
Traceback (most recent call last):
File "C:\Users\ARFATS~1\Desktop\Dealflow\venv\lib\site-packages\flask\app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "C:\Users\ARFATS~1\Desktop\Dealflow\venv\lib\site-packages\flask\app.py", line 1598, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "C:\Users\ARFATS~1\Desktop\Dealflow\venv\lib\site-packages\flask_restful\__init__.py", line 477, in wrapper
resp = resource(*args, **kwargs)
File "C:\Users\ARFATS~1\Desktop\Dealflow\venv\lib\site-packages\flask_jwt\__init__.py", line 176, in decorator
_jwt_required(realm or current_app.config['JWT_DEFAULT_REALM'])
File "C:\Users\ARFATS~1\Desktop\Dealflow\venv\lib\site-packages\flask_jwt\__init__.py", line 155, in _jwt_required
headers={'WWW-Authenticate': 'JWT realm="%s"' % realm})
JWTError: Authorization Required. Request does not contain an access token
I would like Flask-JWT to respond with the response which is there when Debug=True. However, I cannot use debug on Production servers. One way is to use my own jwt_required decorator. Is there any other way?Also, I would be happy to know what I am missing, if any. Thanks
You will need to add this setting to your flask app:
app.config['PROPAGATE_EXCEPTIONS'] = True
When debug is true, PROPAGATE_EXCEPTIONS is also set to true by default.
Perhaps consider checking out flask-jwt-extended instead (https://github.com/vimalloc/flask-jwt-extended), it takes care of the PROPAGATE_EXCEPTIONS for you. It aims to replace the abandoned flask-jwt library, and add some conviences when working with JWTs (such as refresh tokens, easily adding custom data to the JWTs, fresh vs non-fresh tokens, and more). Full disclosure, I'm the author of that extension.
Cheers.

SSL certificates download

I am attempting to use requests package from python to access this site: https://egov.uscis.gov/casestatus/landing.do
When I ran this command:
requests.get('https://egov.uscis.gov/casestatus/landing.do')
I got the usual SSL error when your authentication verification fails..
Read through stackoverflow and adopted one of the solutions: download the certificate in (.crt) and then used openssl to convert to .pem file. I then copied the contents from this .pem file to the end of cacert.pem. However this did not work.
>>> requests.get('https://egov.uscis.gov/casestatus/landing.do')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Users\Sandra\Anaconda\lib\site-packages\requests\api.py", line 69, in get
return request('get', url, params=params, **kwargs)
File "C:\Users\Sandra\Anaconda\lib\site-packages\requests\api.py", line 50, in request
response = session.request(method=method, url=url, **kwargs)
File "C:\Users\Sandra\Anaconda\lib\site-packages\requests\sessions.py", line 465, in request
resp = self.send(prep, **send_kwargs)
File "C:\Users\Sandra\Anaconda\lib\site-packages\requests\sessions.py", line 573, in send
r = adapter.send(request, **kwargs)
File "C:\Users\Sandra\Anaconda\lib\site-packages\requests\adapters.py", line 431, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)
Any pointers as to how I can overcome this without resorting to verify=False
Also Is there any difference in downloading the file via https://superuser.com/a/97203 and https://superuser.com/a/176721?
Because I have no issue with requests.get('https://www.google.com'), do other websites place restrictions on the certificate you download?
egov.usics.gov does not provide a complete chain in its SSL handshake.
You'll need to employ a workaround similar to what's suggested here until the site administrator fixes the certificate chain issue. The intermediate certificate in your case can be obtained from https://ssl-tools.net/certificates/yuox7i-symantec-class-3-secure-server-ca
There are three ways to setup CA cert:
$ pip install certifi then
>>> requests.get(url, verify=certifi.where())
>>> requests.get(url, verify='/path/to/cert_bundle_file')
>>> os.environ['REQUESTS_CA_BUNDLE'] = '/path/to/cert_bundle_file'
>>> requests.get(url)

Why I receive CERTIFICATE_VERIFY_FAILED from google adwords api?

Why google adwords api stops on call this link:
https://adwords.google.com/api/adwords/mcm/v201502/CustomerService?wsdl
With this error - should I load some certificate before and how?
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
Using Python 2.7.10.
Full source code:
create_adwords_client_without_yaml.py
Full error code:
Traceback (most recent call last):
File "C:/Users/Crezary Wagner/PycharmProjects/learn-adwords/src/examples/create_adwords_client_without_yaml.py", line 56, in <module>
CLIENT_CUSTOMER_ID)
File "C:/Users/Crezary Wagner/PycharmProjects/learn-adwords/src/examples/create_adwords_client_without_yaml.py", line 50, in main
customer = adwords_client.GetService('CustomerService').get()
File "C:\root\Python27\lib\site-packages\googleads\adwords.py", line 256, in GetService
proxy=proxy_option, cache=self.cache, timeout=3600)
File "C:\root\Python27\lib\site-packages\suds\client.py", line 115, in __init__
self.wsdl = reader.open(url)
File "C:\root\Python27\lib\site-packages\suds\reader.py", line 150, in open
d = self.fn(url, self.options)
File "C:\root\Python27\lib\site-packages\suds\wsdl.py", line 136, in __init__
d = reader.open(url)
File "C:\root\Python27\lib\site-packages\suds\reader.py", line 74, in open
d = self.download(url)
File "C:\root\Python27\lib\site-packages\suds\reader.py", line 92, in download
fp = self.options.transport.open(Request(url))
File "C:\root\Python27\lib\site-packages\suds\transport\https.py", line 62, in open
return HttpTransport.open(self, request)
File "C:\root\Python27\lib\site-packages\suds\transport\http.py", line 67, in open
return self.u2open(u2request)
File "C:\root\Python27\lib\site-packages\suds\transport\http.py", line 132, in u2open
return url.open(u2request, timeout=tm)
File "C:\root\Python27\lib\urllib2.py", line 431, in open
response = self._open(req, data)
File "C:\root\Python27\lib\urllib2.py", line 449, in _open
'_open', req)
File "C:\root\Python27\lib\urllib2.py", line 409, in _call_chain
result = func(*args)
File "C:\root\Python27\lib\urllib2.py", line 1240, in https_open
context=self._context)
File "C:\root\Python27\lib\urllib2.py", line 1197, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
Python uses certificates from 'system ssl certificate store' to certify https connection, if there is not any appropriate ssl cert in the store error occurs like this.
Download ssl certificate (Open your https link in browser and click lock icon in address bar > More Information > View Certificate > Details > Export) and install it on your system as stated this link http://windows.microsoft.com/en-us/windows/import-export-certificates-private-keys#1TC=windows-7
Not sure if that's the problem here, but worth checking it.
Python 2.7.9 enabled certificate validation by default for HTTP connections.
The server you're connecting to does not have a certificate that is trusted by your client. pysphere should configure SSL appropriately for this use case.
Try making your request like:
requests.get('https://adwords.google.com/api/adwords/mcm/v201502/CustomerService?wsdl', verify=False)
Try this, it helped me:
import ssl
ssl._create_default_https_context = ssl._create_unverified_context
I encountered this issue. I had my phone setup using the same DNS block list and it wasn't immediately apparent after I'd enabled the tool and resumed work on this particular project. I suggest scrutinizing your setup and verify that there aren't any adblockers (DNS level in my case ala NextDNS/hosted PiHole) enabled. Hours upon hours spent trying out python versions, certificates, reinstalling things. Hope this helps someone!

Web2py 3rd party authentication

I have made a webapp in python using web2py which has 3rd party authentication using Janrain as recommended.
On my local server it worked absolutely fine, but now when I deployed on pythonanywhere, the authentication is giving me the following error
"class 'urllib2.URLError' urlopen error Tunnel connection failed: 403 Forbidden"
Stack
===========
File "/usr/lib/python2.7/urllib2.py", line 127, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 404, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 422, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 382, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1222, in https_open
return self.do_open(httplib.HTTPSConnection, req)
File "/usr/lib/python2.7/urllib2.py", line 1184, in do_open
raise URLError(err)
URLError: <urlopen error Tunnel connection failed: 403 Forbidden>
==========================
For third party authentication I had used yahoomail id.
This has now been fixed, but in case anyone else comes across this issue or a similar issue:
the problem was that free users on PythonAnywhere have restricted internet, that goes via a proxy and only allows a whitelist of sites.
The sites .janrain.com and .rpxnow.com weren't on the whitelist at the time, but we have now added them, and the janrain/yahoo mail login now works.
So, for anyone else that happens to be going via a proxy and trying to use this service, those are the sites you need to add. (may also be of interest to paranoid people that like to run noscript, if you find some federated auth system failing, you may need to unblock rpxnow).
Happy coding everyone!