Parameter 'permissive_ssl' not working on LeapHybridCQMSampler

Question

Parameter 'permissive_ssl' not working on LeapHybridCQMSampler

rafamartinc opened this issue 2 years ago · 4 comments

Description
Trying to sample a CQM through the LeapHybridCQMSampler returns a SSLCertVerificationError, even after setting the parameter 'permissive_ssl' to True when instantiating the LeapHybridCQMSampler. Full traceback attached: traceback.txt

To Reproduce

import os
import dwave.system
from dimod import Integer, ConstrainedQuadraticModel

with open(os.path.join('..', 'dwave_token.txt'), 'r') as file:
    os.environ['DWAVE_API_TOKEN'] = file.read()

x = [Integer(f'x_{i}') for i in range(4)]

cqm = ConstrainedQuadraticModel()

H_Objective = -5*x[0] - x[1] + x[2] - x[3]

cqm.set_objective(H_Objective)

cqm.add_constraint(20 - 10*x[0] - x[1] - x[2] - x[3] >=0)

sampler = dwave.system.LeapHybridCQMSampler(permissive_ssl=True)
sampleset = sampler.sample_cqm(cqm)

Error message:

SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

Environments:

Python 3.8.0 on Windows 10 Enterprise 21H2 19044.2364
Python 3.8.10 on Ubuntu 20.04.5 LTS

Answer 1 · 2023-01-02T10:57:03.000Z

@rafamartinc, just to confirm, you are behind a proxy that intercepts and inspects/rewrites your https requests?

Answer 2 · 2023-01-02T22:52:51.000Z

Hi @randomir. Not that I know of... But shouldn't the validation be skipped entirely when using the permissive_ssl parameter?

Answer 3 · 2023-01-03T12:50:13.000Z

@rafamartinc, you are right, we do have a known issue with permissive_ssl, see dwavesystems/dwave-cloud-client#507. But the fact you're seeing an SSLCertVerificationError means some proxy on your route to D-Wave is rewriting requests and spoofing D-Wave API responses/certificates (in order to inspect the SSL traffic in plain text).

For that reason the use of permissive_ssl is not recommended. (Maybe a "good" actor is rewriting your traffic in your enterprise, but you can't distinguish that from a "bad" actor stealing your API token and/or other private data.)

We'll prioritize fixing this issue (although, we would rather just remove the flag/feature), but in the meantime you can try one of the two known workarounds:

Explicitly specify endpoint in calls to the sampler (either in the D-Wave config file, or as a keyword argument to LeapHybridCQMSampler()). The default endpoint is "https://cloud.dwavesys.com/sapi/", also available as dwave.cloud.Client.DEFAULT_API_ENDPOINT (requires import dwave.cloud). This still requires permissive_ssl=True for SAPI requests.
Provide proxy CA cert, if your network admin can share it with you. See here. This would be a preferred solution since you are explicitly authorizing your local network proxy to modify the certificate (but not others). Also, this option does not require the use of permissive_ssl.

Answer 4 · 2023-01-26T10:41:30.000Z

Hi @randomir,

Workaround no. 2 was very closely related to the issue here. It was a specific configuration in our network, so we finally managed to get it solved - for now at least. It would be great to have dwavesystems/dwave-cloud-client#507 solved though, to avoid further issues, so we'll keep an eye on that one as well.

Thank you so much!