search

dwavesystems / dwave-system

An API for easily incorporating the D-Wave system as a sampler, either directly or through Leap's cloud-based hybrid samplers
https://docs.ocean.dwavesys.com/
Apache License 2.0
87 stars 61 forks source link

Parameter 'permissive_ssl' not working on LeapHybridCQMSampler #486

Closed rafamartinc closed 1 year ago

rafamartinc commented 1 year ago

Description Trying to sample a CQM through the LeapHybridCQMSampler returns a SSLCertVerificationError, even after setting the parameter 'permissive_ssl' to True when instantiating the LeapHybridCQMSampler. Full traceback attached: traceback.txt

To Reproduce

import os
import dwave.system
from dimod import Integer, ConstrainedQuadraticModel

with open(os.path.join('..', 'dwave_token.txt'), 'r') as file:
    os.environ['DWAVE_API_TOKEN'] = file.read()

x = [Integer(f'x_{i}') for i in range(4)]

cqm = ConstrainedQuadraticModel()

H_Objective = -5*x[0] - x[1] + x[2] - x[3]

cqm.set_objective(H_Objective)

cqm.add_constraint(20 - 10*x[0] - x[1] - x[2] - x[3] >=0)

sampler = dwave.system.LeapHybridCQMSampler(permissive_ssl=True)
sampleset = sampler.sample_cqm(cqm)

Error message:

SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1108)

Environments:

randomir commented 1 year ago

@rafamartinc, just to confirm, you are behind a proxy that intercepts and inspects/rewrites your https requests?

rafamartinc commented 1 year ago

Hi @randomir. Not that I know of... But shouldn't the validation be skipped entirely when using the permissive_ssl parameter?

randomir commented 1 year ago

@rafamartinc, you are right, we do have a known issue with permissive_ssl, see https://github.com/dwavesystems/dwave-cloud-client/issues/507. But the fact you're seeing an SSLCertVerificationError means some proxy on your route to D-Wave is rewriting requests and spoofing D-Wave API responses/certificates (in order to inspect the SSL traffic in plain text).

For that reason the use of permissive_ssl is not recommended. (Maybe a "good" actor is rewriting your traffic in your enterprise, but you can't distinguish that from a "bad" actor stealing your API token and/or other private data.)

We'll prioritize fixing this issue (although, we would rather just remove the flag/feature), but in the meantime you can try one of the two known workarounds:

  1. Explicitly specify endpoint in calls to the sampler (either in the D-Wave config file, or as a keyword argument to LeapHybridCQMSampler()). The default endpoint is "https://cloud.dwavesys.com/sapi/", also available as dwave.cloud.Client.DEFAULT_API_ENDPOINT (requires import dwave.cloud). This still requires permissive_ssl=True for SAPI requests.
  2. Provide proxy CA cert, if your network admin can share it with you. See here. This would be a preferred solution since you are explicitly authorizing your local network proxy to modify the certificate (but not others). Also, this option does not require the use of permissive_ssl.
rafamartinc commented 1 year ago

Hi @randomir,

Workaround no. 2 was very closely related to the issue here. It was a specific configuration in our network, so we finally managed to get it solved - for now at least. It would be great to have https://github.com/dwavesystems/dwave-cloud-client/issues/507 solved though, to avoid further issues, so we'll keep an eye on that one as well.

Thank you so much!