Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL handshake fails on OS X 10.11.2 (certificate verify failed) #54

Closed
photovirus opened this issue Dec 14, 2015 · 15 comments
Closed

SSL handshake fails on OS X 10.11.2 (certificate verify failed) #54

photovirus opened this issue Dec 14, 2015 · 15 comments
Labels
enhancement

Comments

@photovirus
Copy link

I'm using Mediawiker with a corporate wiki on the latest El Capitan release.

Whenever I try to open a page, I get an error:

ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:550)

Now that I've done my homework, I've found that similar bug plagues Package Control, and the solution is to add custom certificate to Package Control.user-ca-bundle. That didn't help though.

Is there some other way to add custom certificate to Mediawiker?
@photovirus
Copy link
Author

Update here: Mediawiker uses Package Control's SSL implementation, so it would seem that problem lies there (most likely, PC can't get certs from the Keychain). @tosher, can you confirm my suspicions?

Also, I get this problem both on OS X 10.10.5 and 10.11.2.

@tosher
Copy link
Owner

tosher commented Dec 19, 2015

Yes, the plugin depends on ssl from package control.
Do you have the same problems as in

or only with Mediawiker?

@photovirus
Copy link
Author

Mediawiker only, and only with our corporate wiki.
I tried https with Wikipedia, everything is fine. Package Control itself works fine too.

It seems that Package Control doesn't trust our custom certificate despite I have added it to the Mac's Keychain and to ca-bundle.

@tosher
Copy link
Owner

tosher commented Dec 19, 2015

I'm forgot about one thing, the plugin depends on PC's _ssl library loader only, and for Linux platform.
I think it's bug in my code (or bug or unsupported in mwclient library) and I'll research it.

If you know some public sites (based on mediawiki engine) with the same problem, tell me please :) It will be useful for testing.

@tosher tosher added the bug label Dec 19, 2015
@photovirus
Copy link
Author

I don't know such wikis but I can test a beta on our wiki. :] Just tell me the branch hash.

@tosher
Copy link
Owner

tosher commented Dec 21, 2015

For self signed certificate we can disable verification of cert:
mwclient/client.py

after the string

self.connection = requests.Session()

add line

self.connection.verify = False

If this changes will help, i'll can to add this option to the plugin.

@tosher tosher added enhancement and removed bug labels Dec 21, 2015
@photovirus
Copy link
Author

Sure, I'll test it next morning (around 11:00 UTC+4).

@photovirus
Copy link
Author

Tested, everything works (had to restart Sublime).

As far as I can tell, the new line disables cert verification altogether. I would suggest to do this only for self-signed certs (e. g. those that are stored in Package Control.user-ca-bundle or in the Keychain, something like that).

Thanks, anyway!

@tosher
Copy link
Owner

tosher commented Dec 22, 2015

I'll make it as param in server settings with default value as True (verification is On).

@photovirus
Copy link
Author

That will be nice. Thank you.

@tosher
Copy link
Owner

tosher commented Dec 22, 2015

Please, try the new version: 3.0.2
is_ssl_cert_verify - option for site configuration

"My wiki":
{
    "host": "en.wikisite.com",
    "https": true,
    "is_ssl_cert_verify": false,
    ...
}

@photovirus
Copy link
Author

Oops, something went wrong.

Traceback (most recent call last):
  File "/Users/yakovshapovalov/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwutils.py", line 256, in get_site
    sitecon = mwclient.Site(host=self.host, path=self.path, do_ssl_cert_verify=self.is_ssl_cert_verify)
TypeError: __init__() got an unexpected keyword argument 'do_ssl_cert_verify'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Applications/Sublime Text.app/Contents/MacOS/sublime_plugin.py", line 550, in run_
    return self.run(edit, **args)
  File "/Users/yakovshapovalov/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mediawiker.py", line 183, in run
    sitecon = mw.get_connect(password)
  File "/Users/yakovshapovalov/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwutils.py", line 130, in get_connect
    return mwcon.get_site(password)
  File "/Users/yakovshapovalov/Library/Application Support/Sublime Text 3/Packages/Mediawiker/mwutils.py", line 267, in get_site
    raise Exception('HTTP connection failed: %s' % e)
Exception: HTTP connection failed: __init__() got an unexpected keyword argument 'do_ssl_cert_verify'

@tosher
Copy link
Owner

tosher commented Dec 23, 2015

Restart required

https://github.com/tosher/Mediawiker/blob/master/mwclient/client.py

def __init__(self, host, path='/w/', ext='.php', pool=None, retry_timeout=30,
                 max_retries=25, wait_callback=lambda *x: None, clients_useragent=None,
                 max_lag=3, compress=True, force_login=True, do_init=True, httpauth=None, do_ssl_cert_verify=True):

Parameter exists.

@photovirus
Copy link
Author

Oops, my bad. :)
All right, now it works fine.

Thanks for your fix! 👍

@tosher
Copy link
Owner

tosher commented Dec 23, 2015

Ок! Thanx for help with testing :)

@rabin-io rabin-io mentioned this issue May 11, 2016
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tosher @photovirus