Software Development Kit (SDK) and API Discussions

Tricks to work with self-signed certificate over TLS on python sdk 5.6

FelipeMafra
12,668 Views

Hi guys,


I am developing some automation using Python and it worked very well with HTTP protocol, but I needed to use HTTPS instead. My scenario is:


    All my filers use TLS
    No SSL allowed due to SSL security issues
    All my filers have self signed certificate

I tried a lot of thing until I finally I decided to make some change on NetApp SDK library. On file NaServer.py at line 431 instead of:


connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout)



I changed to

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))



Now it works like a charm and I can run my program with HTTPS.

 

Very important: this solution was tested using Python 3.5.

1 ACCEPTED SOLUTION

mjschneider
12,336 Views

This works for python 2.7 as well.

In my scenario i have netapps using TLS or SSLv3, so i created a seperate NaServer.py which specified SSLv3 instead:

 

 

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))

Then in my phython script i import both as such:

 

 

 

from NaServer import *
import NaServer_SSL3

Then just have a simple boolean variable that i set to use the other library:

 

 

 

    def na_setup(netapp, sslv3=False):
        if sslv3:
            ss = NaServer_SSL3.NaServer(netapp, 1, 1)
        else:
            ss = NaServer(netapp, 1, 1)
    return ss

 

 

I tried monkey patching ssl._create_default_https_context a few times, but as my script makes a tong of other api calls, this was a bit outside my python comfort zone.

 

Also worth mentioning that i battled weak ciphers with older 7mode systems for a few days and finally found a combination that worked for all my netapps:

 

 

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    pass
else:
    ssl._create_default_https_context = _create_unverified_https_context

ssl._DEFAULT_CIPHERS += ':RC4-SHA'

 

 

Thanks!

You got me on the right path.

 

Matt S.

 

View solution in original post

5 REPLIES 5

mjschneider
12,337 Views

This works for python 2.7 as well.

In my scenario i have netapps using TLS or SSLv3, so i created a seperate NaServer.py which specified SSLv3 instead:

 

 

connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))

Then in my phython script i import both as such:

 

 

 

from NaServer import *
import NaServer_SSL3

Then just have a simple boolean variable that i set to use the other library:

 

 

 

    def na_setup(netapp, sslv3=False):
        if sslv3:
            ss = NaServer_SSL3.NaServer(netapp, 1, 1)
        else:
            ss = NaServer(netapp, 1, 1)
    return ss

 

 

I tried monkey patching ssl._create_default_https_context a few times, but as my script makes a tong of other api calls, this was a bit outside my python comfort zone.

 

Also worth mentioning that i battled weak ciphers with older 7mode systems for a few days and finally found a combination that worked for all my netapps:

 

 

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    pass
else:
    ssl._create_default_https_context = _create_unverified_https_context

ssl._DEFAULT_CIPHERS += ':RC4-SHA'

 

 

Thanks!

You got me on the right path.

 

Matt S.

 

Shivang
12,224 Views

Hi All,

 

I am using python 2.7.13 for connecting my 7-mode Filer using HTTPSConnection module like thisBut 

 

 

connection = httplib.HTTPSConnection(server, port=443, timeout=300, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))

 

 

But I am getting an error:

 

 

(<class 'ssl.SSLError'>, SSLError(1, u'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:676)'), <traceback object at 0x7ff7bb69d128>)

 

Can anyone help me what's wrong with it?

I can connect with the same code to Cluster-mode Filers but not 7-mode.

 

I have already enabled tls, ssl3 options on this Filer.

 

mjschneider
12,204 Views

I would first try to generate a new certificate on one of the failing systems and make sure it's key length is the max (2048 i think).  The python standard libraries disabled handshake's with key lengths shorter than 1024 (i believe that theres a bug where it actually only works with 2048 key lengths) a few years ago; version i think was somewhere around 2.6.9 or so.

 

You may also need to add to the default cipher list as i mentioned in my post above.  I believe the order maters.

 

During my troubleshooting i has also installed the following packages, though i cant confirm if they contributed to my success:

 

 

pip install requests[security] urllib3

 

 

As a fall back, i have a python 2.6.6 install that i use to verify its not something more than the cert.  Hope that helps.

robinpeter
12,114 Views

Have you tried this..?

 

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

prasadm
10,354 Views

Thanks. While adding that entry around line 433 in NaServer.py did the tricky for me.

It seems like its skipping the certificate validation altogether. I have a signed certificate and cannot get it work on my 7mode system.

 

The reason why I think its skipping cert validation is because I have wildcard based certificate and the connection goes through successfully irrespective of using fqdn or cname.

On a cdot system though, it works like a charm ( without having to make any edits to NaServer.py). When I connect using fqdn instead of cname to a cdot system, it throws a error saying invalid matching name for the certificate ( This error goes away when line 433 is added which again proves the fact that cert validation is disabled when that line is added).

 

Any suggestions is much appreciated,

Thanks,

-Prasad

Public