v3.0.25

Change in behavior

We are updating our hosted server certificates to more secure ones signed with SHA-2. Some older versions of Python will have issues with this change as they do not support SHA-2 encryption. In order to try and prevent scripts from breaking, when the API encounters a version of Python that is incompatible with SHA-2, it will automatically turn off certificate verification and try the request again. If the validation still fails for some reason, the error will be raised, otherwise the request succeeds and validation will remain off for the remaining life of the connection.

This behavior of having certificate validation off, is actually the default in Python versions < v2.7.9. Up to this point we have been electing to enhance the default level of security. Your connection is still encrypted when certificate validation is off, but the server identity cannot be verified.

Logging warnings

When the connection falls back to not validating the certificate, a warning message is generated in the logs:

Warning: shotgun_api3 : SSLHandshakeError: this Python installation is incompatible with certificates signed with SHA-2. Disabling certificate validation. For more information, see http://blog.shotgunsoftware.com/2016/01/important-ssl-certificate-renewal-and.html

SHOTGUN_FORCE_CERTIFICATE_VALIDATION environment variable support

There is also support for the SHOTGUN_FORCE_CERTIFICATE_VALIDATION environment variable which when set (the value does not matter), will prevent disabling certificate verification and will instead raise an exception.

SSL info added to user-agent

Adds info showing the OpenSSL version (if available) and whether certificate validation is enabled or not, to the user-agent string:

ssl OpenSSL 1.0.2d 9 Jul 2015 (no-validate) when validation is disabled
ssl OpenSSL 1.0.2d 9 Jul 2015 (validate) when validation is enabled
ssl OpenSSL unknown (validate) when the ssl version cannot be determined (< Python 2.7)