Open pjmcdermott opened 9 years ago
Totally agree. Not sure why this was originally set to False. I'll switch and will test to make sure it doesn't break anything.
Setting to True results in an InsecurePlatformWarning
/home/ubuntu/sdkenv/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:79: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
This InsecurePlatformWarning is what python versions 2.79 and before will see. The suggested fix is to install pyopenssl (along with all its deps). I'm conflicted here since all these extra dependancies would make this SDK useless for a lot of people running in shared hosting, e.g. heroku, etc.
Well as a migration path, could I suggestion adding a new verify
keyword parameter to the BaseConnection.__init__()
with a default of true. This parameter should be passed to the requests call. If users experience the InsecurePlatformException
and are unable to install the required dependencies they are then able to revert to the default (insecure) behaviour--but in full knowledge that they are proceeding with an insecure connection.
An alternative suggestion (but this is a more radical jigging of the architecture of the library) is this: Currently the a requests session object is set up within the ebaysdk
library. A more object-oriented approach would be to accept a requests session object as a parameter. Then the library users can set up session options (proxies, SSL certificate verification, authentication) to their own requirements, and the ebaysdk
code (especially initialisation) is considerably simplified.
in China.I have also occurred The Issue and read time out.may be because GFW so need ssl for request Success rate..T.T...already installed pyopenssl..python version 2.7.6...
Any update on this issue?
While the verify parameter is set to True
in connection.py , it is still set to False
in parallel.py:
Following an upgrade (I think of requests or urlib3) I became plagued by InsecureRequestWarning exceptions:
I tracked this down to the setting of
verify=False
in the call tosession.send()
inConnection.execute_request()
. Circa line 165.I am using v 1.0.2 in production, but this setting is the same for 1.0.3 and the current master.
As far as I understand the requests library, setting the
verify
parameter to false switches off SSL certificate verification, and should only be used in very exceptional circumstances. Given thehttps
target for the ebay API I suspect very few users are expecting that SSL certificate verification is off.I am using a monkey patched version of 1.0.2 to get round this issue and the warning messages have gone away. (I believe SSL certificate verification is now taking place but can't think of a way to check this).
I believe
verify
should be set toTrue
. Is there a reason why this parameter was not set as such originally?The security risk of not verifying the server certificate is that one could be the subject of a man in the middle attack.