Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to disable SSL certificate validation #92

Closed
letmaik opened this issue Dec 1, 2020 · 7 comments
Closed

Allow to disable SSL certificate validation #92

letmaik opened this issue Dec 1, 2020 · 7 comments
Assignees
@rifiles
Labels
enhancement New feature or request

Comments

@letmaik
Copy link
Member

letmaik commented Dec 1, 2020
edited

2020-12-01 11:19:31.668: 'Exception Creating Socket: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)'

I'm trying to test an SSL-only API locally where the certificate is self-signed. I couldn't find an option to disable certificate validation.
@rifiles
Copy link
Collaborator

rifiles commented Dec 1, 2020

Hi Maik,

I believe the command-line option you're looking for is --no_ssl

@letmaik
Copy link
Member Author

letmaik commented Dec 1, 2020 

no_ssl: bool (default False)

Set to True to disable SSL for requests

Doesn't sound like it to be honest. Are you sure?

@rifiles
Copy link
Collaborator

rifiles commented Dec 1, 2020

I'm sorry, I believe you're correct - I answered too quickly. At the moment RESTler doesn't have an option to disable Python's default certificate validation.

The entirety of the SSL code in RESTler can be found in messaging.py and the HttpSock constructor:

            self._sock = None
            host = Settings().host
            target_ip = self.connection_settings.target_ip or host
            target_port = self.connection_settings.target_port
            if Settings().use_test_socket:
                self._sock = TestSocket(Settings().test_server)
            elif self.connection_settings.use_ssl:
                context = ssl.create_default_context()
                with socket.create_connection((target_ip, target_port or 443)) as sock:
                    self._sock = context.wrap_socket(sock, server_hostname=host)
            else:
                self._sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                self._sock.connect((target_ip, target_port or 80))

The ssl.create_default_context call performs the certificate checks by default. I think it should be possible to use ssl._create_unverified_context() or ssl._create_unverified_https_context() here, which hopefully could resolve your issue?

@marina-p marina-p added the enhancement New feature or request label Dec 1, 2020
@rifiles
Copy link
Collaborator

rifiles commented Dec 23, 2020
edited

Hi Maik,

I made a quick update on branch rifiles/92. Would you mind giving it a try on your API when you get a chance?

To disable you'll just need to add "disable_cert_validation": true to the settings file.

Thanks a lot

@stishkin
Copy link
Contributor

stishkin commented Feb 1, 2021

@letmaik - Are you running on Linux or Windows ? We are using RESTler on Linux container and using these instructions to add certificates to Linux store worked for us.

https://askubuntu.com/questions/645818/how-to-install-certificates-for-command-line

@letmaik
Copy link
Member Author

letmaik commented Feb 2, 2021

The certs are temporary and I'd like to avoid adding them system-wide. A CLI flag to define the cert to use or alternatively an option to disable cert validation sounds more attractive to me.

@marina-p marina-p mentioned this issue Feb 10, 2021
Closed
@miriver miriver mentioned this issue Feb 14, 2021
Merged
@marina-p
Copy link
Contributor

Since the flag to disable cert validation has been added, closing this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rifiles rifiles

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@letmaik @stishkin @marina-p @rifiles