SSL: CERTIFICATE_VERIFY_FAILED about django-cas-ng HOT 12 CLOSED

Newer version url request are handled by requests it will verify SSL certificate, it is more secure.

from django-cas-ng.

@duoi no action was taken. I do not have commit access, so I cannot say if a PR will be accepted or not. I am on the fence as to the wisdom of this change though. On the one hand it makes testing a local setup easier, although getting a working setup without this change is not impossible. On the other hand, you should really never run a CAS system in production with this flag set, and I think that is where I am skeptical that this would be a good addition, it is to easy to do something that is not safe.

So if you are thinking about creating a PR, here is what I would like to see. Some good test coverage to make sure that the setting is working properly. The default values should verify the certificates. There should be a warning presented to the user that this operation is not safe for a production environment, something along the lines of the naive datetime warning from django[0]. At the end of the day it is up to @mingchen to accept the pull request though.

[0] - https://github.com/django/django/blob/master/django/db/models/fields/__init__.py#L1358

from django-cas-ng.

@duoi no problem. Glad you got your PR merged!

from django-cas-ng.

Yes, I know it's more secure, but what do I do if I have a self-signed certificate for in our development environment?

from django-cas-ng.

Can you add the signing certificate (CA bundle) to the client? This would be the best way to handle your issue. More details on how to do this in Ubuntu [0]

On the other hand requests has a mechanism for not verifying the certificate [1], but that would need to be exposed, most likely through a setting. I could see this being somewhat useful in certain circumstances (closed networks with their own CA). There are two ways that requests addresses this issue.

1. You can turn off certificate verification all together by passing verify=False to the request.
2. You can also use the verify parameter to pass a full path to a CA bundle that signed your servers certificate, this would allow you to use your own CA bundle without having to add your bundle to the system.

I could see a settings along the lines of CAS_VERIFY_CERTIFICATE that is None by default, but takes either False or a full path to a CA bundle. Internally we would use that settings for all requests if the setting is something other than None, otherwise verify the certificate with just the system certs.

[0] http://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu
[1] http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification

from django-cas-ng.

@bgroff this was closed, but did anything ever come from this? a setting to control certificate validation would be extremely welcomed. I can develop a PR if it hasn't already been done.

from django-cas-ng.

see python-cas 1.4.0 include python-cas/python-cas#16

• Add kwarg to bypass SSL certificate validation #16

from django-cas-ng.

@bgroff thanks for getting back to me. I agree with your points and will produce something that hits them.

Good call on the warning message, I didn’t consider that, and will definitely stick it in. Given that my other PR on the ‘python-cas’ dependency package has been merged in I’ll begin working on this one probably later this evening or so. Cheers.

from django-cas-ng.

@bgroff would you be able to give me any advice how I should write the tests? I've been looking for a way to do it with RequestFactory but I can't see anything that would let me enter into a state where I can mock rejection of unsigned certificates.

Here is what I have:

1. The new setting: https://github.com/duoi/django-cas-ng/blob/master/django_cas_ng/__init__.py#L31
2. The warning: https://github.com/duoi/django-cas-ng/blob/master/django_cas_ng/utils.py#L72
3. Being passed to cas.py: https://github.com/duoi/django-cas-ng/blob/master/django_cas_ng/utils.py#L88

I added the warning on the get_cas_client() function as it it is called several times across the system and it's the only way to ensure that the user is made very well aware of what's happening. Would that be too much in your opinion?

from django-cas-ng.

Hey, sorry it took a bit to get back to you. Is it possible to check that the cas_client.verify_ssl_certificate is True/False for the combinations of settings?

from django-cas-ng.

I just can't see a way to pass in an invalid certificate with RequestFactory. I can write tests, but the tests wouldn't provide much value. We're unable to test for the negative (or more important) case when the certificate is invalid but verify_ssl_certificate is set to True :/

from django-cas-ng.

CAS_VERIFY_CERTIFICATE

This does not work :(

from django-cas-ng.