Setting capath and cafile to None still verifies the SSL certificate in CentOS 7.6
MoshiBin opened this issue · 0 comments
MoshiBin commented
>>> import redfish
>>> redfish.redfish_client("https://myhost", "username", "password", capath=None, cafile=None)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/redfish/rest/v1.py", line 1061, in redfish_client
max_retry=max_retry)
File "/usr/lib/python2.7/site-packages/redfish/rest/v1.py", line 986, in __init__
max_retry=max_retry)
File "/usr/lib/python2.7/site-packages/redfish/rest/v1.py", line 454, in __init__
self.get_root_object()
File "/usr/lib/python2.7/site-packages/redfish/rest/v1.py", line 585, in get_root_object
raise excp
redfish.rest.v1.RetriesExhaustedError
The requests library sheds some more light on the matter:
>>> import requests
>>> request.get("https://myhost")
requests.exceptions.SSLError: hostname 'myhost' doesn't match u'Different Certificate Name'
So we're failing due to a mismatch between the certificate CN and the server name.
Digging deeper, I looked at RestClientBase.__init_connection
and saw this snippet:
if url.scheme.upper() == "HTTPS":
if sys.version_info < (2, 7, 9):
self._conn = http_client.HTTPSConnection(url.netloc,
timeout=self._timeout)
else:
if self.cafile or self.capath is not None:
ssl_context = ssl.create_default_context(
capath=self.capath, cafile=self.cafile)
else:
ssl_context = ssl._create_unverified_context()
self._conn = http_client.HTTPSConnection(url.netloc,
context=ssl_context,
timeout=self._timeout)
This makes sense, since the docs clearly state that the context
argument has been added in Python 2.7.9:
Changed in version 2.7.9: context was added.
However, CentOS 7.6 has Python 2.7.5 with backports from later versions:
$ rpm -q python
python-2.7.5-76.el7.x86_64
>>> import sys
>>> sys.version_info
sys.version_info(major=2, minor=7, micro=5, releaselevel='final', serial=0)
>>> import httplib, inspect
>>> "context" in inspect.getargspec(httplib.HTTPSConnection.__init__).args
True
This means that the code in redfish thinks that the installed python doesn't have the certificate hostname checking and doesn't pass context=ssl._create_unverified_context()
, while the argument is actually supported so it behaves like python >= 2.7.9.