Bug #5905

[SDKs] Improve certificate validation in Python SDK

Added by Abram Connelly almost 3 years ago. Updated about 1 year ago.

Assigned To:
Target version:
Start date:
Due date:
% Done:


Estimated time:
Story points:


Development story

Many users are seeing a warning from urllib3 letting them know that certificates can't actually be verified. Improve our SDK so that we can verify certificates from the system repository if able. Refer to the urllib3 documentation.

Original bug report

0M / 39828M 0.0% /home/abram/.local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.

The arv-put has not failed but the warnings show up periodically.


#1 Updated by Tom Clegg almost 3 years ago

I removed this recently (#5562) from source:sdk/python/arvados/keep.py in 7ab494e42b35b3769a326a16b7e90f1d20147ced. Could it be related? The motivation and the ticket where it was added (#5246) suggest probably not, but still.

    # Workaround for urllib3 bug.
    # The 'requests' library enables urllib3's SNI support by default, which uses pyopenssl.
    # However, urllib3 prior to version 1.10 has a major bug in this feature
    # (OpenSSL WantWriteError, https://github.com/shazow/urllib3/issues/412)
    # Unfortunately Debian 8 is stabilizing on urllib3 1.9.1 which means the
    # following workaround is necessary to be able to use
    # the arvados python sdk with the distribution-provided packages.
    import urllib3
    from pkg_resources import parse_version
    if parse_version(urllib3.__version__) < parse_version('1.10'):
        from urllib3.contrib import pyopenssl
except ImportError:

#2 Updated by Brett Smith almost 3 years ago

  • Subject changed from arv-put is giving warnings about my SSL configuration to [SDKs] Improve certificate validation in Python SDK
  • Description updated (diff)
  • Category set to SDKs
  • Target version changed from Bug Triage to Arvados Future Sprints

#3 Updated by Tom Clegg about 1 year ago

  • Status changed from New to Closed

Also available in: Atom PDF