Accepted Solution

Tricks to work with self-signed certificate over TLS on python sdk 5.6

[ Edited ]

Hi guys,

I am developing some automation using Python and it worked very well with HTTP protocol, but I needed to use HTTPS instead. My scenario is:

    All my filers use TLS
    No SSL allowed due to SSL security issues
    All my filers have self signed certificate

I tried a lot of thing until I finally I decided to make some change on NetApp SDK library. On file at line 431 instead of:

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout)

I changed to

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

Now it works like a charm and I can run my program with HTTPS.


Very important: this solution was tested using Python 3.5.

Re: Tricks to work with self-signed certificate over TLS on python sdk 5.6

This works for python 2.7 as well.

In my scenario i have netapps using TLS or SSLv3, so i created a seperate which specified SSLv3 instead:



connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))

Then in my phython script i import both as such:




from NaServer import *
import NaServer_SSL3

Then just have a simple boolean variable that i set to use the other library:




    def na_setup(netapp, sslv3=False):
        if sslv3:
            ss = NaServer_SSL3.NaServer(netapp, 1, 1)
            ss = NaServer(netapp, 1, 1)
    return ss



I tried monkey patching ssl._create_default_https_context a few times, but as my script makes a tong of other api calls, this was a bit outside my python comfort zone.


Also worth mentioning that i battled weak ciphers with older 7mode systems for a few days and finally found a combination that worked for all my netapps:



import ssl

    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    ssl._create_default_https_context = _create_unverified_https_context





You got me on the right path.


Matt S.


Re: Tricks to work with self-signed certificate over TLS on python sdk 5.6

Hi All,


I am using python 2.7.13 for connecting my 7-mode Filer using HTTPSConnection module like thisBut 



connection = httplib.HTTPSConnection(server, port=443, timeout=300, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))



But I am getting an error:



(<class 'ssl.SSLError'>, SSLError(1, u'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:676)'), <traceback object at 0x7ff7bb69d128>)


Can anyone help me what's wrong with it?

I can connect with the same code to Cluster-mode Filers but not 7-mode.


I have already enabled tls, ssl3 options on this Filer.


Re: Tricks to work with self-signed certificate over TLS on python sdk 5.6

I would first try to generate a new certificate on one of the failing systems and make sure it's key length is the max (2048 i think).  The python standard libraries disabled handshake's with key lengths shorter than 1024 (i believe that theres a bug where it actually only works with 2048 key lengths) a few years ago; version i think was somewhere around 2.6.9 or so.


You may also need to add to the default cipher list as i mentioned in my post above.  I believe the order maters.


During my troubleshooting i has also installed the following packages, though i cant confirm if they contributed to my success:



pip install requests[security] urllib3



As a fall back, i have a python 2.6.6 install that i use to verify its not something more than the cert.  Hope that helps.