search

snstac / pytak

PyTAK is a Python package for rapid TAK integration.
https://pytak.readthedocs.io/en/stable/
Apache License 2.0
156 stars 42 forks source link

Add method to define trusted partner TLS certs #55

Closed ampledata closed 9 months ago

ampledata commented 9 months ago

We can avoid ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131) with bypass settings such as PYTAK_TLS_DONT_CHECK_HOSTNAME.

What are the instructions for adding hosts to our trust chain?

ampledata commented 9 months ago

certificate verify failed: Error

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)

The certificate verify failed error indicates that PyTAK is the TAK Server is using a certificate that PyTAK does not trust because it cannot be verified. This is the default behavior for TAK Servers built following the TAK Server Setup Guide instructions.

Alternatively, many organizations have established their own custom Certificate Authority (CA). With this comes the need to propagate & establish the CA's authority throughout the organization, including on end-user devices like smartphones, tablets and computers.

Depending on the security requirements in your operating environment, there are two possible procedures to follow to resolve this error:

  1. Set the PYTAK_TLS_CLIENT_CAFILE configuration parameter to a PEM encoded file containing the custom CA trust chain? root? store? TK
  2. Bypass remote host TLS certificate verification by setting PYTAK_TLS_DONT_VERIFY to True.