DMTF/python-redfish-library

Setting capath and cafile to None still verifies the SSL certificate in CentOS 7.6

MoshiBin opened this issue · 0 comments

MoshiBin commented 
>>> import redfish
>>> redfish.redfish_client("https://myhost", "username", "password", capath=None, cafile=None)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/redfish/rest/v1.py", line 1061, in redfish_client
    max_retry=max_retry)
  File "/usr/lib/python2.7/site-packages/redfish/rest/v1.py", line 986, in __init__
    max_retry=max_retry)
  File "/usr/lib/python2.7/site-packages/redfish/rest/v1.py", line 454, in __init__
    self.get_root_object()
  File "/usr/lib/python2.7/site-packages/redfish/rest/v1.py", line 585, in get_root_object
    raise excp
redfish.rest.v1.RetriesExhaustedError

The requests library sheds some more light on the matter:

>>> import requests
>>> request.get("https://myhost")
requests.exceptions.SSLError: hostname 'myhost' doesn't match u'Different Certificate Name'

So we're failing due to a mismatch between the certificate CN and the server name.

Digging deeper, I looked at RestClientBase.__init_connection and saw this snippet:

        if url.scheme.upper() == "HTTPS":
            if sys.version_info < (2, 7, 9):
                self._conn = http_client.HTTPSConnection(url.netloc,
                                                         timeout=self._timeout)
            else:
                if self.cafile or self.capath is not None:
                    ssl_context = ssl.create_default_context(
                        capath=self.capath, cafile=self.cafile)
                else:
                    ssl_context = ssl._create_unverified_context()
                self._conn = http_client.HTTPSConnection(url.netloc,
                                                         context=ssl_context,
                                                         timeout=self._timeout)

This makes sense, since the docs clearly state that the context argument has been added in Python 2.7.9:

Changed in version 2.7.9: context was added.

However, CentOS 7.6 has Python 2.7.5 with backports from later versions:

$ rpm -q python
python-2.7.5-76.el7.x86_64
>>> import sys
>>> sys.version_info
sys.version_info(major=2, minor=7, micro=5, releaselevel='final', serial=0)
>>> import httplib, inspect
>>> "context" in inspect.getargspec(httplib.HTTPSConnection.__init__).args
True

This means that the code in redfish thinks that the installed python doesn't have the certificate hostname checking and doesn't pass context=ssl._create_unverified_context(), while the argument is actually supported so it behaves like python >= 2.7.9.