Subscribe
Accepted Solution

Tricks to work with self-signed certificate over TLS on python sdk 5.6

[ Edited ]

Hi guys,


I am developing some automation using Python and it worked very well with HTTP protocol, but I needed to use HTTPS instead. My scenario is:


    All my filers use TLS
    No SSL allowed due to SSL security issues
    All my filers have self signed certificate

I tried a lot of thing until I finally I decided to make some change on NetApp SDK library. On file NaServer.py at line 431 instead of:


connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout)



I changed to

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))



Now it works like a charm and I can run my program with HTTPS.

 

Very important: this solution was tested using Python 3.5.

Re: Tricks to work with self-signed certificate over TLS on python sdk 5.6

This works for python 2.7 as well.

In my scenario i have netapps using TLS or SSLv3, so i created a seperate NaServer.py which specified SSLv3 instead:

 

 

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))

Then in my phython script i import both as such:

 

 

 

from NaServer import *
import NaServer_SSL3

Then just have a simple boolean variable that i set to use the other library:

 

 

 

    def na_setup(netapp, sslv3=False):
        if sslv3:
            ss = NaServer_SSL3.NaServer(netapp, 1, 1)
        else:
            ss = NaServer(netapp, 1, 1)
    return ss

 

 

I tried monkey patching ssl._create_default_https_context a few times, but as my script makes a tong of other api calls, this was a bit outside my python comfort zone.

 

Also worth mentioning that i battled weak ciphers with older 7mode systems for a few days and finally found a combination that worked for all my netapps:

 

 

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    pass
else:
    ssl._create_default_https_context = _create_unverified_https_context

ssl._DEFAULT_CIPHERS += ':RC4-SHA'

 

 

Thanks!

You got me on the right path.

 

Matt S.

 

Re: Tricks to work with self-signed certificate over TLS on python sdk 5.6

Hi All,

 

I am using python 2.7.13 for connecting my 7-mode Filer using HTTPSConnection module like thisBut 

 

 

connection = httplib.HTTPSConnection(server, port=443, timeout=300, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

 

 

But I am getting an error:

 

 

(<class 'ssl.SSLError'>, SSLError(1, u'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:676)'), <traceback object at 0x7ff7bb69d128>)

 

Can anyone help me what's wrong with it?

I can connect with the same code to Cluster-mode Filers but not 7-mode.

 

I have already enabled tls, ssl3 options on this Filer.

 

Re: Tricks to work with self-signed certificate over TLS on python sdk 5.6

I would first try to generate a new certificate on one of the failing systems and make sure it's key length is the max (2048 i think).  The python standard libraries disabled handshake's with key lengths shorter than 1024 (i believe that theres a bug where it actually only works with 2048 key lengths) a few years ago; version i think was somewhere around 2.6.9 or so.

 

You may also need to add to the default cipher list as i mentioned in my post above.  I believe the order maters.

 

During my troubleshooting i has also installed the following packages, though i cant confirm if they contributed to my success:

 

 

pip install requests[security] urllib3

 

 

As a fall back, i have a python 2.6.6 install that i use to verify its not something more than the cert.  Hope that helps.

Re: Tricks to work with self-signed certificate over TLS on python sdk 5.6

Have you tried this..?

 

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

Re: Tricks to work with self-signed certificate over TLS on python sdk 5.6

Thanks. While adding that entry around line 433 in NaServer.py did the tricky for me.

It seems like its skipping the certificate validation altogether. I have a signed certificate and cannot get it work on my 7mode system.

 

The reason why I think its skipping cert validation is because I have wildcard based certificate and the connection goes through successfully irrespective of using fqdn or cname.

On a cdot system though, it works like a charm ( without having to make any edits to NaServer.py). When I connect using fqdn instead of cname to a cdot system, it throws a error saying invalid matching name for the certificate ( This error goes away when line 433 is added which again proves the fact that cert validation is disabled when that line is added).

 

Any suggestions is much appreciated,

Thanks,

-Prasad