SSL error with CAS after upgrade to 32 bit python 2.7.10 on Windows (ActiveState python)

261 views
Skip to first unread message

Tim Richardson

unread,
Dec 21, 2015, 6:57:00 AM12/21/15
to web2py-users
Upgrading from python 2.7.8 to 2.7.10 causes me these errors with using CAS. This is with web2py 2.12.3 and 2.13.1 
On Windows Server 2008 R2. 


Version:0.9 StartHTML:00000241 EndHTML:00000446 StartFragment:00000275 EndFragment:00000410 SourceURL:https://mmcserver.vci.com.au:8040/admin/default/ticket/commission/127.0.0.1.2015-12-21.22-51-22.921a24aa-38c5-4b99-a716-33f09dbf1484

<type 'exceptions.IOError'> [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)


Modules are built with standard python package management (pip). 


Full trace is:

Version:0.9 StartHTML:00000241 EndHTML:00010123 StartFragment:00000275 EndFragment:00010087 SourceURL:https://mmcserver.vci.com.au:8040/admin/default/ticket/commission/127.0.0.1.2015-12-21.22-51-22.921a24aa-38c5-4b99-a716-33f09dbf1484 
  File "e:\web2py\web2py_intranet\gluon\restricted.py", line 227, in restricted
    exec ccode in environment
  File "e:/web2py/web2py_intranet/applications/commission/controllers/default.py", line 416, in <module>
  File "e:\web2py\web2py_intranet\gluon\globals.py", line 412, in <lambda>
    self._caller = lambda f: f()
  File "e:/web2py/web2py_intranet/applications/commission/controllers/default.py", line 42, in user
    return dict(form=auth())
  File "e:\web2py\web2py_intranet\gluon\tools.py", line 1923, in __call__
    return getattr(self, args[0])()
  File "e:\web2py\web2py_intranet\gluon\tools.py", line 3029, in login
    redirect(cas.login_url(next),
  File "e:\web2py\web2py_intranet\gluon\contrib\login_methods\cas_auth.py", line 66, in login_url
    current.session.token = self._CAS_login()
  File "e:\web2py\web2py_intranet\gluon\contrib\login_methods\cas_auth.py", line 98, in _CAS_login
    data = urllib.urlopen(url).read()
  File "E:\Python27_32\lib\urllib.py", line 87, in urlopen
    return opener.open(url)
  File "E:\Python27_32\lib\urllib.py", line 213, in open
    return getattr(self, name)(url)
  File "E:\Python27_32\lib\urllib.py", line 443, in open_https
    h.endheaders(data)
  File "E:\Python27_32\lib\httplib.py", line 1049, in endheaders
    self._send_output(message_body)
  File "E:\Python27_32\lib\httplib.py", line 893, in _send_output
    self.send(msg)
  File "E:\Python27_32\lib\httplib.py", line 855, in send
    self.connect()
  File "E:\Python27_32\lib\httplib.py", line 1274, in connect
    server_hostname=server_hostname)
  File "E:\Python27_32\lib\ssl.py", line 352, in wrap_socket
    _context=self)
  File "E:\Python27_32\lib\ssl.py", line 579, in __init__
    self.do_handshake()
  File "E:\Python27_32\lib\ssl.py", line 808, in do_handshake
    self._sslobj.do_handshake()
IOError: [Errno socket error] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Niphlod

unread,
Dec 21, 2015, 8:19:34 AM12/21/15
to web2py-users
this is more of a python installation issue rather than a web2py one ....

Niphlod

unread,
Dec 21, 2015, 8:22:26 AM12/21/15
to web2py-users
and probably due to https cert verification turned on.... https://www.python.org/dev/peps/pep-0476/ . Are you using a valid cert ?

Tim Richardson

unread,
Dec 21, 2015, 2:36:50 PM12/21/15
to web...@googlegroups.com


On Tuesday, 22 December 2015 00:22:26 UTC+11, Niphlod wrote:
and probably due to https cert verification turned on.... https://www.python.org/dev/peps/pep-0476/ . Are you using a valid cert ?


Your guess was remarkably precise. I just came back to report that replacing it with a renewed certificate fixed the problem. I didn't honestly expect that but thought I'd give it a shot (it's an intranet site). 
The expired cert didn't give the previous installation any problems, but there you are. I guess that CAS exposes the full python SSL stack, rather than just visiting a site in a browser, which lets the browser handler problems like this more permissively. 
  

Tim Richardson

unread,
Dec 21, 2015, 2:39:58 PM12/21/15
to web2py-users


On Tuesday, 22 December 2015 00:19:34 UTC+11, Niphlod wrote:
this is more of a python installation issue rather than a web2py one ....

yes, but here be very helpful people. Which you have just proved again :) 

Niphlod

unread,
Dec 21, 2015, 3:14:32 PM12/21/15
to web2py-users
this though poses a problem in the case someone wants to skip certificate validation..... python in this case enforces a "sane default" but I wonder if we should revisit all the code to look for places where cert validation **could** be a problem 

Yangbo Xu

unread,
Jun 28, 2016, 12:11:00 PM6/28/16
to web2py-users
Hi Niphlod,

I did face the certificate validation problem.  It seems I need to dive a bit deeply into gluon and change the source code which makes use of urllib?
Just wonder, if there is better way to skip the certificate validation? (similar problem faced for gluon.tools.fetch, which doesn't have a parameter to skip verfication. For those, i used requests.get(_url, verify=False) instead)

Thanks in advance for any advice or suggestions!
Yangbo

Niphlod

unread,
Jun 28, 2016, 3:20:02 PM6/28/16
to web2py-users
before doing that, make sure that you understand the security implications of trusting whatever certificate you get...

Yangbo Xu

unread,
Jun 28, 2016, 10:22:27 PM6/28/16
to web2py-users
Thanks for the reminder. This happens only in development environment which I dont have a proper cert.  Proper certificates are installed for all production environment.
Reply all
Reply to author
Forward
0 new messages