search

OpenDataNode / ckanext-odn-ic2pc-sync

CKAN Extenstion for synchronization of catalog records from internal catalog to public (external) catalog
GNU Affero General Public License v3.0
0 stars 0 forks source link

ckanext-odn-ic2pc-sync doesn't support certificate validation #15

Closed Jan-Marcek closed 8 years ago

Jan-Marcek commented 9 years ago

due to https://github.com/OpenDataNode/odn-box/commit/9cf5b556556282e026a0cc679e7292321dfd28a2 ckanext-odn-ic2pc-sync has to support https.

Now, the certificate validation is disabled when connection is https.

ckanext-odn-ic2pc-sync uses urllib2 and requests. urllib2 by default doesn't do certificate verification but requests does.

Jan-Marcek commented 9 years ago

Python's lib requests has his own list of trusted CAs. We can't rely on OS trusted list.

Jan-Marcek commented 9 years ago

method ssl.create_default_context could help to read os certs. but SSLContext was introduced in 2.7.9, from http://stackoverflow.com/questions/28228214/ssl-module-object-has-no-attribute-sslcontext.

Debian Wheezy 7 uses older version of python. Debian 8 Jessie uses 2.7.9..

wheezy (oldstable) (python): interactive high-level object-oriented language (default version) 2.7.3-4+deb7u1: all jessie (stable) (python): interactive high-level object-oriented language (default version) 2.7.9-1: amd64 arm64 armel armhf i386 mips mipsel powerpc ppc64el s390x from https://packages.debian.org/search?keywords=python

Jan-Marcek commented 9 years ago

urllib2.urlopen (https://github.com/OpenDataNode/odn-ckancommons/blob/ODN_v1.0.2/odn_ckancommons/ckan_helper.py#L31 ) doesn't support verification in version 2.7.3 from urllib2.html

Jan-Marcek commented 9 years ago

summary: As I wrote before, certification validation is not supported in the plugin. There are used two libraries: urlib2 and request. urllib2 doesn't even support certification validation. If we want to fix it we have to use Debian 8 Jessie where is higher version of urllib2 which support certification validation.

hanecak commented 8 years ago

OK, so this is blocked by upgrade to Debian 8 - see https://github.com/OpenDataNode/open-data-node/issues/238 .

Jan-Marcek commented 8 years ago

For now, we disabled cert validation in updating resource, because https://github.com/OpenDataNode/open-data-node/issues/261

Jan-Marcek commented 8 years ago

Now, cert validation is allowed in updating resource.

Jan-Marcek commented 8 years ago

The problem occoures again: https://github.com/OpenDataNode/open-data-node/issues/261. Now, cert validation is disabled in updating resource.