4:37 p.m.
Thanks for the correction Roland !
Could it be that certifi is missing on the system (
[https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verifi… )
](https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verification)?
Do we use urllib directly or via requests ?
//Ioannis
-------- Original Message --------
Subject: Re: [satosa-users] how to get certificate verification on backend calls
Local Time: November 10, 2017 5:23 PM
UTC Time: November 10, 2017 3:23 PM
From: roland at catalogix.se
To: Ioannis Kakavas <ikakavas at protonmail.com>
Jim Fox <fox at washington.edu>, satosa-users at lists.sunet.se <satosa-users at
lists.sunet.se>
On 10 Nov 2017, at 15:31, Ioannis Kakavas
<ikakavas at protonmail.com> wrote:
It uses oic.oauth2.Client internally (
https://github.com/OpenIDC/pyoidc/blob/master/src/oic/oauth2/__init__.py#L1… ) and I see
verify_ssl default value is True so my guess is that certificates are (attempted to be)
verified but ca_certs is None so it doesn't know what to verify it against (
doesn't know of any CAs ) .
Not completely true. If ca_certs is None then the system CA certs are used.
You should only need to set ca_certs if your root CA is not in the global list of
accepted CAs or when some intermediates might be missing.
Missing intermediates has bitten me a couple of times.
We could pass this as a parameter in the OIDC
frontend or change pyoidc to look for the system cacerts if it doesn't know of any.
It does look for and use system ca certs.
I have a long flight next week and I could look
into this if you make an issue out of it in Github
Ioannis
> -------- Original Message --------
> Subject: Re: [satosa-users] how to get certificate verification on backend calls
> Local Time: November 9, 2017 6:55 PM
> UTC Time: November 9, 2017 4:55 PM
> From: fox at washington.edu
> To: Scott Koranda <skoranda at gmail.com>
> satosa-users at lists.sunet.se
>
>>> How can I get the https gets on the backend processes to verify
>>> certificates?
>>
>> Are you asking how you can get SATOSA to use TLS trust for remote SAML
>> metadata that it needs to pull down?
>
> No, I mean the requests to a social OIDC OP, e.g. Google, to to the
> token or userinfo endpoint. With those I'm getting an InsecureRequestWarning
from
> urllib3.
Yeah, you will see this if verify_ssl is set to False which is a MUST to get anything
working in some environments.
As long as you know what you’re doing you can ignore this warning :-)
>> Jim
>> ---------------------------------------------------------------
>>
>> satosa-users mailing list
>> satosa-users at lists.sunet.se
>> https://lists.sunet.se/listinfo/satosa-users
>
> _______________________________________________
> satosa-users mailing list
> satosa-users at lists.sunet.se
> https://lists.sunet.se/listinfo/satosa-users