Setting the AZURE_CLI_DISABLE_CONNECTION_VERIFICATION does not have any effect for SSL verification

[antgonmir]

Describe the bug
Setting the AZURE_CLI_DISABLE_CONNECTION_VERIFICATION does not have any effect. SSL verification still takes place when running Azure CLI commands.

To Reproduce
When sitting behind an SSL intercepting Proxy, the Azure CLI fails for certain commands with errors like:

Error occurred in request., SSLError: HTTPSConnectionPool(host='xxxxxx.vault.azure.net', port=443): Max retries exceeded with url: /secrets?api-version=7.0 (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",),))

Setting the AZURE_CLI_DISABLE_CONNECTION_VERIFICATION to any value causes the should_disable_connection_verify in the method from azure.cli.core.util to return True, as expected:

def should_disable_connection_verify():
    import os
    return bool(os.environ.get(DISABLE_VERIFY_VARIABLE_NAME))

However, the Verify flag in the requests is still set to True, so the environment variable is not working as expected.

A possible temporal workaround is to modify the sessions.py file within the requests package, and set the Verify parameter to False in the merge_environment_settings method:

    def merge_environment_settings(self, url, proxies, stream, verify, cert):
        """
        Check the environment and merge it with some settings.

        :rtype: dict
        """
        # Gather clues from the surrounding environment.
        if self.trust_env:
            # Set environment's proxies.
            no_proxy = proxies.get('no_proxy') if proxies is not None else None
            env_proxies = get_environ_proxies(url, no_proxy=no_proxy)
            for (k, v) in env_proxies.items():
                proxies.setdefault(k, v)

            # Look for requests environment configuration and be compatible
            # with cURL.
            if verify is True or verify is None:
                verify = (os.environ.get('REQUESTS_CA_BUNDLE') or
                          os.environ.get('CURL_CA_BUNDLE'))

        # Merge all the kwargs.
        proxies = merge_setting(proxies, self.proxies)
        stream = merge_setting(stream, self.stream)
        verify = merge_setting(verify, self.verify)
        cert = merge_setting(cert, self.cert)

        return {'verify': False, 'proxies': proxies, 'stream': stream,
                'cert': cert}

Expected behavior
Setting the AZURE_CLI_DISABLE_CONNECTION_VERIFICATION to any value should disable SSL verification with Azure CLI.

Environment summary
The problem has been verified in both Windows 10 and also bash within Windows 10, running:

In Windows 10:
Azure CLI 2.0.61 and Python 3.7.3

In Bash within Windows 10
Azure CLI 2.0.60 and Python 3.6.7

[tjprescott]

Thanks for the details @antgonmir. I'll try and take a look at it this sprint.

[tjprescott]

You mention that you get this error "for certain commands". Could you be more specific about which commands are showing this error?

[antgonmir]

I was able to reproduce the issue with any commands that involved operating with a Key Vault, for example az keyvault secret list, az keyvault secret set, az keyvault key list, etc.

[tjprescott]

In that case, this seems related to #6958.

[yugangw-msft]

It is the same issue. We will take a look at this soon. Meanwhile, non key-vault commands work fine under proxy

[woeterman94]

Why was this closed? The issue is still here