5:55 p.m.
How can I get
the https gets on the backend processes to verify
certificates?
Are you asking how you can get SATOSA to use TLS trust for remote SAML
metadata that it needs to pull down?
3:31 p.m.
New subject: how to get certificate verification on backend calls
It uses oic.oauth2.Client internally (
https://github.com/OpenIDC/pyoidc/blob/master/src/oic/oauth2/__init__.py#L1… ) and I see
verify_ssl default value is True so my guess is that certificates are (attempted to be)
verified but ca_certs is None so it doesn't know what to verify it against (
doesn't know of any CAs ) .
We could pass this as a parameter in the OIDC frontend or change pyoidc to look for the
system cacerts if it doesn't know of any.
I have a long flight next week and I could look into this if you make an issue out of it
in Github
Ioannis
-------- Original Message --------
Subject: Re: [satosa-users] how to get certificate verification on backend calls
Local Time: November 9, 2017 6:55 PM
UTC Time: November 9, 2017 4:55 PM
From: fox at washington.edu
To: Scott Koranda <skoranda at gmail.com>
satosa-users at lists.sunet.se
No, I mean the requests to a social OIDC OP, e.g. Google, to to the
token or userinfo endpoint. With those I'm getting an InsecureRequestWarning from
urllib3.
Jim
---------------------------------------------------------------
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
How can I
get the https gets on the backend processes to verify
certificates?
Are you asking how you can get SATOSA to use TLS trust for remote SAML
metadata that it needs to pull down? 
4:23 p.m.
On 10 Nov 2017, at 15:31, Ioannis Kakavas <ikakavas
at protonmail.com> wrote:
It uses oic.oauth2.Client internally (
https://github.com/OpenIDC/pyoidc/blob/master/src/oic/oauth2/__init__.py#L1… ) and I see
verify_ssl default value is True so my guess is that certificates are (attempted to be)
verified but ca_certs is None so it doesn't know what to verify it against (
doesn't know of any CAs ) .
Not completely true. If ca_certs is None then the system CA certs are used.
You should only need to set ca_certs if your root CA is not in the global list of accepted
CAs or when some intermediates might be missing.
Missing intermediates has bitten me a couple of times.
We could pass this as a parameter in the OIDC frontend
or change pyoidc to look for the system cacerts if it doesn't know of any.
It does look for and use system ca certs.
I have a long flight next week and I could look into
this if you make an issue out of it in Github
Ioannis
> -------- Original Message --------
> Subject: Re: [satosa-users] how to get certificate verification on backend calls
> Local Time: November 9, 2017 6:55 PM
> UTC Time: November 9, 2017 4:55 PM
> From: fox at washington.edu
> To: Scott Koranda <skoranda at gmail.com>
> satosa-users at lists.sunet.se
>
>
> How can I get the https gets on the backend processes to verify
> certificates?
> Are you asking how you can get SATOSA to use TLS trust for remote SAML
> metadata that it needs to pull down?
>
> No, I mean the requests to a social OIDC OP, e.g. Google, to to the
> token or userinfo endpoint. With those I'm getting an InsecureRequestWarning
from
> urllib3.
Yeah, you will see this if verify_ssl is set to False which is a MUST to get anything
working in some environments.
As long as you know what you’re doing you can ignore this warning :-)
Jim
satosa-users mailing list
satosa-users at lists.sunet.se <mailto:satosa-users at lists.sunet.se>
https://lists.sunet.se/listinfo/satosa-users
<https://lists.sunet.se/listinfo/satosa-users>
_______________________________________________
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
4:37 p.m.
New subject: how to get certificate verification on backend calls
Thanks for the correction Roland !
Could it be that certifi is missing on the system (
[https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verifi… )
](https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verification)?
Do we use urllib directly or via requests ?
//Ioannis
-------- Original Message --------
Subject: Re: [satosa-users] how to get certificate verification on backend calls
Local Time: November 10, 2017 5:23 PM
UTC Time: November 10, 2017 3:23 PM
From: roland at catalogix.se
To: Ioannis Kakavas <ikakavas at protonmail.com>
Jim Fox <fox at washington.edu>, satosa-users at lists.sunet.se <satosa-users at
lists.sunet.se>
On 10 Nov 2017, at 15:31, Ioannis Kakavas
<ikakavas at protonmail.com> wrote:
It uses oic.oauth2.Client internally (
https://github.com/OpenIDC/pyoidc/blob/master/src/oic/oauth2/__init__.py#L1… ) and I see
verify_ssl default value is True so my guess is that certificates are (attempted to be)
verified but ca_certs is None so it doesn't know what to verify it against (
doesn't know of any CAs ) .
Not completely true. If ca_certs is None then the system CA certs are used.
You should only need to set ca_certs if your root CA is not in the global list of
accepted CAs or when some intermediates might be missing.
Missing intermediates has bitten me a couple of times.
We could pass this as a parameter in the OIDC
frontend or change pyoidc to look for the system cacerts if it doesn't know of any.
It does look for and use system ca certs.
I have a long flight next week and I could look
into this if you make an issue out of it in Github
Ioannis
> -------- Original Message --------
> Subject: Re: [satosa-users] how to get certificate verification on backend calls
> Local Time: November 9, 2017 6:55 PM
> UTC Time: November 9, 2017 4:55 PM
> From: fox at washington.edu
> To: Scott Koranda <skoranda at gmail.com>
> satosa-users at lists.sunet.se
>
>>> How can I get the https gets on the backend processes to verify
>>> certificates?
>>
>> Are you asking how you can get SATOSA to use TLS trust for remote SAML
>> metadata that it needs to pull down?
>
> No, I mean the requests to a social OIDC OP, e.g. Google, to to the
> token or userinfo endpoint. With those I'm getting an InsecureRequestWarning
from
> urllib3.
Yeah, you will see this if verify_ssl is set to False which is a MUST to get anything
working in some environments.
As long as you know what you’re doing you can ignore this warning :-)
>> Jim
>> ---------------------------------------------------------------
>>
>> satosa-users mailing list
>> satosa-users at lists.sunet.se
>> https://lists.sunet.se/listinfo/satosa-users
>
> _______________________________________________
> satosa-users mailing list
> satosa-users at lists.sunet.se
> https://lists.sunet.se/listinfo/satosa-users
5:29 p.m.
On 10 Nov 2017, at 16:37, Ioannis Kakavas <ikakavas
at protonmail.com> wrote:
Thanks for the correction Roland !
Could it be that certifi is missing on the system (
https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verifi… )
<https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verification>?
Do we use urllib directly or via requests ?
In pyoidc it is via requests.
//Ioannis
-------- Original Message --------
Subject: Re: [satosa-users] how to get certificate verification on backend calls
Local Time: November 10, 2017 5:23 PM
UTC Time: November 10, 2017 3:23 PM
From: roland at catalogix.se
To: Ioannis Kakavas <ikakavas at protonmail.com>
Jim Fox <fox at washington.edu>, satosa-users at lists.sunet.se <satosa-users at
lists.sunet.se>
On 10 Nov 2017, at 15:31, Ioannis Kakavas
<ikakavas at protonmail.com <mailto:ikakavas at protonmail.com>> wrote:
It uses oic.oauth2.Client internally (
https://github.com/OpenIDC/pyoidc/blob/master/src/oic/oauth2/__init__.py#L1…
<https://github.com/OpenIDC/pyoidc/blob/master/src/oic/oauth2/__init__.py#L153> )
and I see verify_ssl default value is True so my guess is that certificates are (attempted
to be) verified but ca_certs is None so it doesn't know what to verify it against (
doesn't know of any CAs ) .
Not completely true. If ca_certs is None then the system CA certs are used.
You should only need to set ca_certs if your root CA is not in the global list of
accepted CAs or when some intermediates might be missing.
Missing intermediates has bitten me a couple of times.
We could pass this as a parameter in the OIDC
frontend or change pyoidc to look for the system cacerts if it doesn't know of any.
It does look for and use system ca certs.
I have a long flight next week and I could look
into this if you make an issue out of it in Github
Ioannis
> -------- Original Message --------
> Subject: Re: [satosa-users] how to get certificate verification on backend calls
> Local Time: November 9, 2017 6:55 PM
> UTC Time: November 9, 2017 4:55 PM
> From: fox at washington.edu <mailto:fox at washington.edu>
> To: Scott Koranda <skoranda at gmail.com <mailto:skoranda at gmail.com>>
> satosa-users at lists.sunet.se <mailto:satosa-users at lists.sunet.se>
>
>
> How can I get the https gets on the backend processes to verify
> certificates?
> Are you asking how you can get SATOSA to use TLS trust for remote SAML
> metadata that it needs to pull down?
>
> No, I mean the requests to a social OIDC OP, e.g. Google, to to the
> token or userinfo endpoint. With those I'm getting an InsecureRequestWarning
from
> urllib3.
Yeah, you will see this if verify_ssl is set to False which is a MUST to get anything
working in some environments.
As long as you know what you’re doing you can ignore this warning :-)
>> Jim
>>
>> satosa-users mailing list
>> satosa-users at lists.sunet.se <mailto:satosa-users at lists.sunet.se>
>> https://lists.sunet.se/listinfo/satosa-users
<https://lists.sunet.se/listinfo/satosa-users>
>
> _______________________________________________
> satosa-users mailing list
> satosa-users at lists.sunet.se <mailto:satosa-users at lists.sunet.se>
> https://lists.sunet.se/listinfo/satosa-users
9:34 p.m.
The problem is that 'verify' is being explicitly set to False if ca_certs is not
specified.
1) openid_connect.py creates a Client (openid_connect.py:243 (_create_client)) [ with no
ca_certs parameter ]
2) Client init (oic/oic/__init__.py:267) Note ca_certs defaults to None.
3) Client init (oic/oauth2/__init__.py:77)
4) Client init (oic/oauth2/base.py:39) If ca_certs is None:
request_args["verify"] is false, regardless of setting of verify_ssl.
5) Note also that base.py creates its KeyJar with verify_ssl=True.
It is that step (4), 'request_args["verify"]=False' that is used in most
requests and causes them to be unverified.
There is one request that 'is' verified. It is
"https://www.googleapis.com/oauth2/v3/certs". It uses the KeyJar that was
created in step (5). It also uses the default ca path:
/data/local/gateway/gw-env3/lib/python3.6/site-packages/certifi/cacert.pem.
If openid_connect.py could specify the ca_certs path explicitly, even if via
'certifi.where()', the other calls could use verification as well.
Thanks,
Jim
On Fri, 10 Nov 2017, Roland Hedberg wrote:
Date: Fri, 10 Nov 2017 08:29:18
From: Roland Hedberg <roland at catalogix.se>
To: Ioannis Kakavas <ikakavas at protonmail.com>
Cc: Jim Fox <fox at washington.edu>,
"satosa-users at lists.sunet.se" <satosa-users at lists.sunet.se>
Subject: Re: [satosa-users] how to get certificate verification on backend
calls
On 10 Nov 2017, at 16:37, Ioannis Kakavas <ikakavas at protonmail.com>
wrote:
Thanks for the correction Roland !
Could it be that certifi is missing on the system (
https://urllib3.readthedocs.io/en/latest/user-guide.html#certificate-verifi… ) ?
Do we use urllib directly or via requests ?
In pyoidc it is via requests.
//Ioannis
-------- Original Message --------
Subject: Re: [satosa-users] how to get certificate verification on backend calls
Local Time: November 10, 2017 5:23 PM
UTC Time: November 10, 2017 3:23 PM
From: roland at catalogix.se
To: Ioannis Kakavas <ikakavas at protonmail.com>
Jim Fox <fox at washington.edu>, satosa-users at lists.sunet.se <satosa-users at
lists.sunet.se>
On 10 Nov 2017, at 15:31, Ioannis Kakavas <ikakavas at protonmail.com>
wrote:
It uses oic.oauth2.Client internally (
https://github.com/OpenIDC/pyoidc/blob/master/src/oic/oauth2/__init__.py#L1… ) and I
see verify_ssl default value is True so my guess is that certificates are (attempted to
be) verified but ca_certs is None so it
doesn't know what to verify it against ( doesn't know of any CAs ) .
Not completely true. If ca_certs is None then the system CA certs are used.
You should only need to set ca_certs if your root CA is not in the global list of
accepted CAs or when some intermediates might be
missing.
Missing intermediates has bitten me a couple of times.
We could pass this as a parameter in the OIDC frontend or change pyoidc to look for
the system cacerts if it doesn't know
of any.
It does look for and use system ca certs.
I have a long flight next week and I could look into this if you make an issue out
of it in Github
Ioannis
-------- Original Message --------
Subject: Re: [satosa-users] how to get certificate verification on backend calls
Local Time: November 9, 2017 6:55 PM
UTC Time: November 9, 2017 4:55 PM
From: fox at washington.edu
To: Scott Koranda <skoranda at gmail.com>
satosa-users at lists.sunet.se
How can I get the https gets on the backend processes to verify
certificates?
Are you asking how you can get SATOSA to use TLS trust for remote SAML
metadata that it needs to pull down?
No, I mean the requests to a social OIDC OP, e.g. Google, to to the
token or userinfo endpoint. With those I'm getting an InsecureRequestWarning from
urllib3.
Yeah, you will see this if verify_ssl is set to False which is a MUST to get anything
working in some environments.
As long as you know what you’re doing you can ignore this warning :-)
Jim
__________________________________________________________________________________________________________________________________________________
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
_______________________________________________
satosa-users mailing list
satosa-users at lists.sunet.se
https://lists.sunet.se/listinfo/satosa-users
2552
days inactive
2557
days old
7 comments
4 participants
participants (4)
-
fox@washington.edu -
ikakavas@protonmail.com -
roland@catalogix.se -
skoranda@gmail.com