search

sethmlarson / truststore

Verify certificates using OS trust stores
https://truststore.readthedocs.io
MIT License
157 stars 19 forks source link

Seems to not verify self-signed certs #64

Closed Eli-Black-Work closed 2 years ago

Eli-Black-Work commented 2 years ago

Hello! 🙂

We normally use pip_system_certs, which makes Python automatically use the Windows cert store. My understanding is that truststore is supposed to provide the same functionality. If not, then maybe this bug report is bogus 😄

Anyway, I installed truststore and some packages, like so:

python -m venv ".venv"
.\.venv\Scripts\activate\

python -m pip install --upgrade pip
python -m pip install truststore --upgrade

python -m pip install robotframework --upgrade --use-feature=truststore
python -m pip install robotframework-requests --upgrade --use-feature=truststore
python -m pip install urllib3 --upgrade --use-feature=truststore
python -m pip install requests --upgrade --use-feature=truststore
python -m pip install RESTinstance --upgrade --use-feature=truststore
...

When we then make a call using robot-framework-requests, I get this error:

SSLError: HTTPSConnectionPool(host='localhost', port=44327): Max retries exceeded with url: /example (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:997)')))

OS: Windows Python: 3.10.5

Let me know if there's any more info that I can provide! 🙂

sethmlarson commented 2 years ago

Thanks for opening an issue! Just to make sure I'm understanding correctly:

You were able to install the packages using --use-feature=truststore and everything worked okay.

You ran into the error you've listed when running robotframework, could you provide some code that uses truststore and robotframework together so we can try reproducing?

If you're using a self-signed certificate for testing purposes I'd suggest looking at trustme for generating realistic server+client certificates programmatically from Python so you don't have to use self-signed certificates.

Eli-Black-Work commented 2 years ago

You were able to install the packages using --use-feature=truststore and everything worked okay.

Yes 🙂

I'm just using robotframework (specifically, robotframework-requests) as normal.

pip_system_certs somehow makes it so that calls to the request library use the Windows cert store. Is that also what truststore is supposed to do? I could be misunderstanding it's purpose 🙂

sethmlarson commented 2 years ago

Thanks for clarifying, glad that the --use-feature=truststore option worked for you.

Truststore itself doesn't do any magical modifications to the standard library or other libraries, you have to explicitly use it or have the dependency start using the library for Truststore to work. Does robotframework-requests support passing an SSLContext object via ssl_context, or the like?

Since this isn't a defect with the truststore library I'm going to close this issue, but feel free to reply here if you have further questions.

sethmlarson commented 2 years ago

An FYI: @davisagli has helpfully created an issue to document how to use this library with Requests as it's non-trivial.

Eli-Black-Work commented 2 years ago

@sethmlarson Thanks for the link! 🙂

I suspect that this is what pip_system_certs is doing, except it seems to patch Requests.