Allow to skip SSL validation

[staylorx]

I have a plantuml server behind TLS which I know is tested and strong, and publicly signed (though internal to my group). When I try to use it I get errors.

This might be you, it might be sphinx-doc? python2.7?

[I redacted mydomain. :)]

plantweb_defaults = {
    'server': 'https://pcamweb01.mydomain/plantuml/'
}

WARNING: C:\work\ART\cam-docs-art-system\environments\PRD.rst:22: (ERROR/3) Traceback (most recent call last):
  File "c:\python27\lib\site-packages\plantweb\directive.py", line 140, in run
    engine=self._get_engine_name()
  File "c:\python27\lib\site-packages\plantweb\render.py", line 199, in render
    output, sha = render_cached(server, format, content, **cacheopts)
  File "c:\python27\lib\site-packages\plantweb\render.py", line 122, in render_cached
    output = plantuml(server, format, content)
  File "c:\python27\lib\site-packages\plantweb\plantuml.py", line 123, in plantuml
    response = get(url)
  File "c:\python27\lib\site-packages\requests\api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "c:\python27\lib\site-packages\requests\api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "c:\python27\lib\site-packages\requests\sessions.py", line 502, in request
    resp = self.send(prep, **send_kwargs)
  File "c:\python27\lib\site-packages\requests\sessions.py", line 612, in send
    r = adapter.send(request, **kwargs)
  File "c:\python27\lib\site-packages\requests\adapters.py", line 514, in send
    raise SSLError(e, request=request)
SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

Thank you!

[staylorx]

I tried changing the get in plantuml.py to

response = get(url, verify=False)

but that doesn't help. Same errors. I tried it against the official plantuml server and it worked but then was cached.

After removing the cache the output indicates a clean run but then no images is in the cache folder.

[staylorx]

I had to ensure 'pip install requests[security]' was installed and turning off the cache seemed to ensure it would call. It complains about https but it gets it.

# Plantweb configuration
plantweb_defaults = {
#    'server': 'http://www.plantuml.com/plantuml/',
    'engine': 'plantuml',
    'format': 'svg',
    'server': 'https://pcamweb01.mydomain/plantuml/',
    'use_cache': False,
}

So it works locally now, but readthedocs in a Docker container seems to hate it. Something new for me to dig into. But your kit looks okay now.

Thanks much.

[staylorx]

Got far down the road then realized my local copy of code had

response = get(url, verify=False)

I started down the road of updating a fork, but got stuck a bit on the args.py. Creating a parameter called 'tlsverify' makes sense... does it need to be in the CLI?

[carlos-jenkins]

You may try adding your custom certification authority to the REQUESTS_CA_BUNDLE as specified in http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

If you want to add a option to disable SSL verification I'll modify:

• defaults.DEFAULT_CONFIG to include verify_ssl: True and thus it can be overridden by user configuration (in Sphinx conf.py, user home, git root, etc).
• plantuml.plantuml call and include a new keyword verify=True and pass it to the get() call.
• Modify render.render_cached to pass down that variable from read_defaults().

[staylorx]

I think the ability to quickly disable SSL validation is all I really need. I had looked into REQUESTS_CA_BUNDLE but also ran into situations with SAN and wildcard naming. We've got a lot of docker and nginx before it's passed to a VIP. It's handy to check it with validation=False before sending clients against the VIP with the full cert and chain. Hacky, clearly. Thanks for your help.