Solved: Tricks to work with self-signed certificate over TLS on python sdk 5.6

FelipeMafra · ‎2016-11-08

Hi guys,

I am developing some automation using Python and it worked very well with HTTP protocol, but I needed to use HTTPS instead. My scenario is:

    All my filers use TLS
    No SSL allowed due to SSL security issues
    All my filers have self signed certificate

I tried a lot of thing until I finally I decided to make some change on NetApp SDK library. On file NaServer.py at line 431 instead of:

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout)

I changed to

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

Now it works like a charm and I can run my program with HTTPS.

Very important: this solution was tested using Python 3.5.

mjschneider · ‎2017-03-09

This works for python 2.7 as well.

In my scenario i have netapps using TLS or SSLv3, so i created a seperate NaServer.py which specified SSLv3 instead:

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))

Then in my phython script i import both as such:

from NaServer import *
import NaServer_SSL3

Then just have a simple boolean variable that i set to use the other library:

    def na_setup(netapp, sslv3=False):
        if sslv3:
            ss = NaServer_SSL3.NaServer(netapp, 1, 1)
        else:
            ss = NaServer(netapp, 1, 1)
    return ss

I tried monkey patching ssl._create_default_https_context a few times, but as my script makes a tong of other api calls, this was a bit outside my python comfort zone.

Also worth mentioning that i battled weak ciphers with older 7mode systems for a few days and finally found a combination that worked for all my netapps:

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    pass
else:
    ssl._create_default_https_context = _create_unverified_https_context

ssl._DEFAULT_CIPHERS += ':RC4-SHA'

Thanks!

You got me on the right path.

Matt S.

View solution in original post

mjschneider · ‎2017-03-09

This works for python 2.7 as well.

In my scenario i have netapps using TLS or SSLv3, so i created a seperate NaServer.py which specified SSLv3 instead:

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))

Then in my phython script i import both as such:

from NaServer import *
import NaServer_SSL3

Then just have a simple boolean variable that i set to use the other library:

    def na_setup(netapp, sslv3=False):
        if sslv3:
            ss = NaServer_SSL3.NaServer(netapp, 1, 1)
        else:
            ss = NaServer(netapp, 1, 1)
    return ss

I tried monkey patching ssl._create_default_https_context a few times, but as my script makes a tong of other api calls, this was a bit outside my python comfort zone.

Also worth mentioning that i battled weak ciphers with older 7mode systems for a few days and finally found a combination that worked for all my netapps:

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    pass
else:
    ssl._create_default_https_context = _create_unverified_https_context

ssl._DEFAULT_CIPHERS += ':RC4-SHA'

Thanks!

You got me on the right path.

Matt S.

Shivang · ‎2017-03-21

Hi All,

I am using python 2.7.13 for connecting my 7-mode Filer using HTTPSConnection module like thisBut

connection = httplib.HTTPSConnection(server, port=443, timeout=300, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

But I am getting an error:

(<class 'ssl.SSLError'>, SSLError(1, u'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:676)'), <traceback object at 0x7ff7bb69d128>)

Can anyone help me what's wrong with it?

I can connect with the same code to Cluster-mode Filers but not 7-mode.

I have already enabled tls, ssl3 options on this Filer.

mjschneider · ‎2017-03-22

I would first try to generate a new certificate on one of the failing systems and make sure it's key length is the max (2048 i think). The python standard libraries disabled handshake's with key lengths shorter than 1024 (i believe that theres a bug where it actually only works with 2048 key lengths) a few years ago; version i think was somewhere around 2.6.9 or so.

You may also need to add to the default cipher list as i mentioned in my post above. I believe the order maters.

During my troubleshooting i has also installed the following packages, though i cant confirm if they contributed to my success:

pip install requests[security] urllib3

As a fall back, i have a python 2.6.6 install that i use to verify its not something more than the cert. Hope that helps.

robinpeter · ‎2017-04-09

Have you tried this..?

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

prasadm · ‎2018-02-28

Thanks. While adding that entry around line 433 in NaServer.py did the tricky for me.

It seems like its skipping the certificate validation altogether. I have a signed certificate and cannot get it work on my 7mode system.

The reason why I think its skipping cert validation is because I have wildcard based certificate and the connection goes through successfully irrespective of using fqdn or cname.

On a cdot system though, it works like a charm ( without having to make any edits to NaServer.py). When I connect using fqdn instead of cname to a cdot system, it throws a error saying invalid matching name for the certificate ( This error goes away when line 433 is added which again proves the fact that cert validation is disabled when that line is added).

Any suggestions is much appreciated,

Thanks,

-Prasad

Tricks to work with self-signed certificate over TLS on python sdk 5.6

Portfolio Updates | NetApp ONAIR