Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Creating a connection object derived from an AWSAuthConnection will ignore validate_certs=False on python2 >= 2.7.9 #3468

Open
rwdalpe opened this issue Jan 19, 2016 · 4 comments
Open

Creating a connection object derived from an AWSAuthConnection will ignore validate_certs=False on python2 >= 2.7.9 #3468

rwdalpe opened this issue Jan 19, 2016 · 4 comments

Comments

@rwdalpe
Copy link

rwdalpe commented Jan 19, 2016

Boto has the helpful validate_certs parameter that can be passed into connection objects that derive from AWSAuthConnection.

However, in python2 >= 2.7.9 (not sure about python3), that parameter will have no effect. The issue stems from

https://github.com/boto/boto/blob/develop/boto/connection.py#L755

which is the branch that is executed if:

  • no proxy is in use
  • a special https connection factory was not passed in
  • http_validate_certificates is not True, which will be the case if validate_certs is set to False and no overriding options were set in the Boto config.

However, that function has the following note

Changed in version 2.7.9: context was added.

This class now performs all the necessary certificate and hostname checks by default. To revert to the previous, unverified, behavior ssl._create_unverified_context() can be passed to the context parameter.

So, the default behavior changed from 2.7.8 to 2.7.9, which I believe breaks the expectations that Boto has.

The way we discovered/tested this was by trying to connect to kinesalite. I believe using any other non-validated ssl will trigger the same behavior.

Testing code is:

$ kinesalite --ssl # starts kinesalite in https mode with a self-signed cert on port 4567

# running in python

from boto.kinesis.layer1 import KinesisConnection
from boto.regioninfo import RegionInfo

regionInfo = RegionInfo(name='us-west-2',
                            endpoint='https://localhost:4567')
kwargs = {"region":regionInfo,
          "aws_access_key_id":'SOMEKEY',
          "aws_secret_access_key":'SOMESECRET',
          "is_secure":True,
          "validate_certs":False,
          "port":4567,
          "host":'localhost'
}

kinesisConn = KinesisConnection(**kwargs)
response = kinesisConn.list_streams()
print response # this should return _something_, instead the program will hang

This same code will work on python 2.7.8 but fail on python 2.7.9.

Perhaps this is also related to issue #2901?
@rwdalpe
Copy link
Author

rwdalpe commented Jan 19, 2016

Possible (untested from my end) workaround is to pass in the https_connection_factory. That might be the only option considering that the context parameter to that constructor doesn't exist in python2 < 2.7.9, so I'm sure it might be difficult to get the correct behavior and be backwards compatible.

@datagrok
Copy link

Also seeing this behavior with Python 3.6.1. I expect it manifests in all Python3 >= 3.4.3, according to the similar note in the python3 docs about the use of context=ssl._create_unverified_context().

@ghost
Copy link

ghost commented Feb 17, 2018

Hi,

It's very late but as @rwdalpe mentioned, it's possible to do a workaround with https_connection_factory. Here is a sample code :

def create_factory(host):
    return (
        http_client.HTTPSConnection(
            host = host,
            port = 8000,
            context = ssl._create_unverified_context()
        )
    )

factory = (create_factory, ())

conn = S3Connection(
        "accessKey1",
        "verySecretKey1",
        host = "127.0.0.1",
        port = 8000,
        is_secure = True,
        validate_certs = False,
        calling_format = OrdinaryCallingFormat(),
        https_connection_factory = factory
)

@tschoonj tschoonj mentioned this issue Jun 25, 2020
Open
@joke-lee
Copy link 

import httplib
import ssl
import boto
import boto.s3.connection
boto.config.add_section('Boto')
boto.config.set('Boto', 'num_retries', '1')
boto.config.set('Boto', 'http_socket_timeout', '20000000')
boto.config.set('Boto', 'debug', '2')
 
myhost = 'eos-beijing-1.cmecloud.cn'
myport = 443
access_key = "yly"
secret_key = "yly"
def create_factory(host):
    return (
        httplib.HTTPSConnection(
            host = myhost,
            port = myport,
            context = ssl._create_unverified_context()
        )
    )
 
factory = (create_factory, ())
conn = boto.connect_s3(
    access_key,
    secret_key,
    host = myhost,
    is_secure = True,
    validate_certs = False,
    port=myport,
    calling_format = boto.s3.connection.OrdinaryCallingFormat(),
    https_connection_factory = factory
)
bucket = conn.get_bucket("ylyb1")

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@datagrok @rwdalpe @joke-lee