InsecureRequestWarning Unverified HTTPS request is being made. Adding certificate verification is strongly advised

4teamwork / ftw.linkchecker

0 stars 0 forks source link

InsecureRequestWarning Unverified HTTPS request is being made. Adding certificate verification is strongly advised #57

Closed maethu closed 5 years ago

maethu commented 5 years ago

InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)

Please check if we can do something about this.

busykoala commented 5 years ago

ftw.linkchecker uses requests library. The solution would be to add the path to the hosts certificates like:

requests.get('https://github.com', verify='/path/to/certfile')

Source

But since we only want to do head requests I need to look further into it.

busykoala commented 5 years ago

@maethu is there a server where we could install and test if requests.head('https://whatever.com', verify='/path/to/certfile') is working, where we have some data for the linkchecker and the cerfiles lie around?

mbaechtold commented 5 years ago

From https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings:

InsecureRequestWarning This happens when a request is made to an HTTPS URL without certificate verification enabled. Follow the certificate verification guide to resolve this warning.

ftw.linkchecker disables certificate verification and urllib3 (which is used or bundled by requests) complains about it:

https://github.com/4teamwork/ftw.linkchecker/blob/badcd7fb9c66aefb6c66f2073fb23402363d1b08/ftw/linkchecker/linkchecker.py#L20-L24

Why is certificate verification disabled in the first place?

Removing verify=False should remove the InsecureRequestWarning.

busykoala commented 5 years ago

We decided to not change this because some customers use proxies and internally self signed certificates. If we changed the line most of the links would throw an error even though they are signed.

mbaechtold commented 5 years ago

Fair enough. But then you could disable the InsecureRequestWarning instead:

Making unverified HTTPS requests is strongly discouraged, however, if you understand the risks and wish to disable these warnings, you can use _disablewarnings():

import urllib3 urllib3.disable_warnings()

Source https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

spyros12 commented 4 years ago

I don't mind the warnings. Atleast it runs/works. Don't want to go back to code not working because of SSI cirtification or whatever reason.