timotheus
commented
9 years ago Totally agree. Not sure why this was originally set to False. I'll switch and will test to make sure it doesn't break anything.
Open pjmcdermott opened 9 years ago
timotheus
commented
9 years ago Totally agree. Not sure why this was originally set to False. I'll switch and will test to make sure it doesn't break anything.
timotheus
commented
9 years ago Setting to True results in an InsecurePlatformWarning
/home/ubuntu/sdkenv/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarningThis InsecurePlatformWarning is what python versions 2.79 and before will see. The suggested fix is to install pyopenssl (along with all its deps). I'm conflicted here since all these extra dependancies would make this SDK useless for a lot of people running in shared hosting, e.g. heroku, etc.
pjmcdermott
commented
9 years ago Well as a migration path, could I suggestion adding a new verify keyword parameter to the BaseConnection.__init__() with a default of true. This parameter should be passed to the requests call. If users experience the InsecurePlatformException and are unable to install the required dependencies they are then able to revert to the default (insecure) behaviour--but in full knowledge that they are proceeding with an insecure connection.
An alternative suggestion (but this is a more radical jigging of the architecture of the library) is this: Currently the a requests session object is set up within the ebaysdk library. A more object-oriented approach would be to accept a requests session object as a parameter. Then the library users can set up session options (proxies, SSL certificate verification, authentication) to their own requirements, and the ebaysdk code (especially initialisation) is considerably simplified.
sqxccdy
commented
9 years ago in China.I have also occurred The Issue and read time out.may be because GFW so need ssl for request Success rate..T.T...already installed pyopenssl..python version 2.7.6...
kashifusmani
commented
8 years ago Any update on this issue?
coffeemakr
commented
4 years ago While the verify parameter is set to True in connection.py , it is still set to False in parallel.py:
Following an upgrade (I think of requests or urlib3) I became plagued by InsecureRequestWarning exceptions:
I tracked this down to the setting of
verify=Falsein the call tosession.send()inConnection.execute_request(). Circa line 165.I am using v 1.0.2 in production, but this setting is the same for 1.0.3 and the current master.
As far as I understand the requests library, setting the
verifyparameter to false switches off SSL certificate verification, and should only be used in very exceptional circumstances. Given thehttpstarget for the ebay API I suspect very few users are expecting that SSL certificate verification is off.I am using a monkey patched version of 1.0.2 to get round this issue and the warning messages have gone away. (I believe SSL certificate verification is now taking place but can't think of a way to check this).
I believe
verifyshould be set toTrue. Is there a reason why this parameter was not set as such originally?The security risk of not verifying the server certificate is that one could be the subject of a man in the middle attack.