search

yaroslavyaroslav / OpenAI-sublime-text

First class Sublime Text AI assistant with GPT-o1 and ollama support!
MIT License
173 stars 13 forks source link

CERTIFICATE_VERIFY_FAILED when using custom API provider via httpS #42

Closed vjeantet closed 3 months ago

vjeantet commented 7 months ago

Hello,

My custom OpenAi Provider (ollama) use https with a self-signed certificate.

When the plugin try to connect to it, an error pops up with "error OpenAi: CERTIFICATE_VERIFY_FAILED..."

How can I tell the plugin to not verify the ssl context of the connection ? (or better, set the path to ca bundle to use ?)

thanks a lot !

update: I found some reference, but not sure if it is the solution, and how to apply it to your code. : https://stackoverflow.com/questions/48908044/how-to-disable-ssl-verification-for-http-client-httpsconnection-class-in-python

yaroslavyaroslav commented 7 months ago

Hi, well, the problem is that the solution that I have in my mind I consider as the high severity security issue.

I mean the issue is caused by ssl pinning which is toggled on by default in the default Python http library, so from my perspective it's quite a bad idea to give a user an option to opt it out. Have you a different view on this?

vjeantet commented 7 months ago

Hello, thanks for your quick feedback.

I agree with you, we should not touch the default TLS Pinning mode.

In my case, my issue is about the unknown CA certificate provided by my certificate (as it is self signed). I managed to bypass this SSL verification, by adding a context param to the self.connection=connection like bellow.

line 47

...
import ssl
...
class NetworkClient():
    response: Optional[HTTPResponse] = None

    def __init__(self, settings: sublime.Settings, cacher: Cacher = Cacher()) -> None:
      ...
         self.connection = connection(url, context=ssl._create_unverified_context())

It would be cool if this behaviour could be set in settings with a boolean param. like ssl_no_verify

yaroslavyaroslav commented 7 months ago

I see you, more than that this is how I handle this issue by myself locally, when I needed to debug network layer of the plugin using mitm proxy.

But at my taste this issue is too specific to become the part of the settings. Let's wait a bit if there any folks who'll upvote it as well.

yaroslavyaroslav commented 3 months ago

Closing it so far.