[satosa-users] how to get certificate verification on backend calls

Date: Fri, 10 Nov 2017 08:29:18 From: Roland Hedberg <roland at catalogix.se> To: Ioannis Kakavas <ikakavas at protonmail.com> Cc: Jim Fox <fox at washington.edu>, "satosa-users at lists.sunet.se" <satosa-users at lists.sunet.se> Subject: Re: [satosa-users] how to get certificate verification on backend calls On 10 Nov 2017, at 16:37, Ioannis Kakavas <ikakavas at protonmail.com> wrote: Thanks for the correction Roland ! Could it be that certifi is missing on the system (  https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verifi… )  ? Do we use urllib directly or via requests ? In pyoidc it is via requests. //Ioannis -------- Original Message -------- Subject: Re: [satosa-users] how to get certificate verification on backend calls Local Time: November 10, 2017 5:23 PM UTC Time: November 10, 2017 3:23 PM From: roland at catalogix.se To: Ioannis Kakavas <ikakavas at protonmail.com> Jim Fox <fox at washington.edu>, satosa-users at lists.sunet.se <satosa-users at lists.sunet.se> On 10 Nov 2017, at 15:31, Ioannis Kakavas <ikakavas at protonmail.com> wrote: It uses oic.oauth2.Client internally ( https://github.com/OpenIDC/pyoidc/blob/master/src/oic/oauth2/__init__.py#L1… )  and I see verify_ssl default value is True so my guess is that certificates are (attempted to be) verified but ca_certs is None so it doesn't know what to verify it against ( doesn't know of any CAs ) . Not completely true. If ca_certs is None then the system CA certs are used. You should only need to set ca_certs if your root CA is not in the global list of accepted CAs or when some intermediates might be missing. Missing intermediates has bitten me a couple of times. We could pass this as a parameter in the OIDC frontend or change pyoidc to look for the system cacerts if it doesn't know of any.  It does look for and use system ca certs. I have a long flight next week and I could look into this if you make an issue out of it in Github Ioannis -------- Original Message -------- Subject: Re: [satosa-users] how to get certificate verification on backend calls Local Time: November 9, 2017 6:55 PM UTC Time: November 9, 2017 4:55 PM From: fox at washington.edu To: Scott Koranda <skoranda at gmail.com> satosa-users at lists.sunet.se How can I get the https gets on the backend processes to verify certificates? Are you asking how you can get SATOSA to use TLS trust for remote SAML metadata that it needs to pull down? No, I mean the requests to a social OIDC OP, e.g. Google, to to the token or userinfo endpoint. With those I'm getting an InsecureRequestWarning from urllib3. Yeah, you will see this if verify_ssl is set to False which is a MUST to get anything working in some environments. As long as you know what you’re doing you can ignore this warning :-) Jim __________________________________________________________________________________________________________________________________________________ satosa-users mailing list satosa-users at lists.sunet.se https://lists.sunet.se/listinfo/satosa-users _______________________________________________ satosa-users mailing list satosa-users at lists.sunet.se https://lists.sunet.se/listinfo/satosa-users