Feature Request: add config option to ignore SSL certificate errors

Question

Feature Request: add config option to ignore SSL certificate errors

rlue opened this issue 5 years ago · 3 comments

Just tested roast on a local web service I run called syncthing (API docs here). I have syncthing configured to use https, but since it's served off of localhost, clients (browser, curl, etc.) raise a certificate validation error when trying to access it.

There's always a way around this, though. In browsers, you can add a security exception. In curl, you can use the -k / --insecure flag. Any chance we could see a similar option (say, g:roast#ignore_ssl_errors?) to roast to do the same? (I'd try my hand at a PR, but I don't know Python yet.)

FWIW, this is traceback resulting from calling roast#run on an endpoint with invalid SSL certs:

Error detected while processing function roast#run:
line    1:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/requests/packages/urllib3/connectionpool.py", line 559, in urlopen
    body=body, headers=headers)
  File "/usr/local/lib/python3.7/dist-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.7/dist-packages/requests/packages/urllib3/connectionpool.py", line 784, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.7/dist-packages/requests/packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/local/lib/python3.7/dist-packages/requests/packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/usr/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/usr/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/local/lib/python3.7/dist-packages/requests/packages/urllib3/connectionpool.py", line 588, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/home/rlue/.vim/plugged/roast.vim/python3/roast.py", line 34, in run
    response = sessions[vim.current.buffer.number].send(request.prepare())
  File "/usr/local/lib/python3.7/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.7/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/rlue/.vim/plugged/roast.vim/python3/roast.py", line 37, in run
    vim.command(f"echoerr b:_roast_error")
vim.error: Vim(echoerr):SSLError(SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)')))

Thanks for your work on roast!

Answer 1 · 2019-06-05T08:34:35.000Z

I just pushed a commit to enable toggling SSL verification. Although I couldn't test it as exclusively as I'd like. Please update your copy of the plugin and let me know how it goes.

Thanks!

Answer 2 · 2019-06-06T03:33:29.000Z

Very cool! Two things:

:RoastSSLIgnore and :RoastSSLVerify are only working in gvim. If I try to execute them in a terminal, I get E492: Not an editor command: RoastSSLIgnore.

Disabling SSL verification works, but I'm still getting a warning/error before the HTTP response comes through:

Error detected while processing function roast#fun:
line    1:
/usr/local/bin/python3.7/dist-packages/requests/packages/urllib3/connectionpool.py:791 InsecureRequestWarning: Unverified HTTP request is being made. Adding certificate vertification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html
  InsecureRequestWarning)
Press ENTER or type command to continue

Thanks for your speedy follow-up!

Answer 3 · 2019-10-21T15:23:19.000Z

I also seem to be unable to get the :RoastSSLIgnore and RoastSSLVerify commands to function

When I run them in vim then try to make a request roast.vim still throws an error about the certificates:

HTTPSConnectionPool(host='centos', port=443): Max retries exceeded with url: /juice4/vending3.php?mode=authtest (Caus
ed by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify
 failed')])")))
HTTPSConnectionPool(host='centos', port=443): Max retries exceeded with url: /juice4/vending3.php?mode=authtest (Caus
ed by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify
 failed')])")))
HTTPSConnectionPool(host='centos', port=443): Max retries exceeded with url: /juice4/vending3.php?mode=authtest (Caus
ed by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify
 failed')])")))
Press ENTER or type command to continue

Details on Vim version

VIM - Vi IMproved 8.1 (2018 May 18, compiled Sep 29 2019 22:27:49)
Included patches: 1-2102
Compiled by Arch Linux

Roast.vim: 1c72887

This service I'm testing with is running on my local machine behind a self signed certificate.