[SDKs] Improve certificate validation in Python SDK
|Target version:||Arvados Future Sprints|
|Velocity based estimate||-|
Many users are seeing a warning from urllib3 letting them know that certificates can't actually be verified. Improve our SDK so that we can verify certificates from the system repository if able. Refer to the urllib3 documentation.
Original bug report¶
0M / 39828M 0.0% /home/abram/.local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning
The arv-put has not failed but the warnings show up periodically.
#1 Updated by Tom Clegg about 2 years ago
I removed this recently (#5562) from source:sdk/python/arvados/keep.py in 7ab494e42b35b3769a326a16b7e90f1d20147ced. Could it be related? The motivation and the ticket where it was added (#5246) suggest probably not, but still.
try: # Workaround for urllib3 bug. # The 'requests' library enables urllib3's SNI support by default, which uses pyopenssl. # However, urllib3 prior to version 1.10 has a major bug in this feature # (OpenSSL WantWriteError, https://github.com/shazow/urllib3/issues/412) # Unfortunately Debian 8 is stabilizing on urllib3 1.9.1 which means the # following workaround is necessary to be able to use # the arvados python sdk with the distribution-provided packages. import urllib3 from pkg_resources import parse_version if parse_version(urllib3.__version__) < parse_version('1.10'): from urllib3.contrib import pyopenssl pyopenssl.extract_from_urllib3() except ImportError: pass