#207 closed defect (fixed)
ssl certificate verification error in cellPACK fetch
Reported by: | Tom Goddard | Owned by: | Greg Couch |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Infrastructure | Version: | |
Keywords: | Cc: | conrad@… | |
Blocked By: | Blocking: | ||
Notify when closed: | Platform: | Mac OS X (Cocoa 64) | |
Project: | ChimeraX |
Description
ChimeraX python has a problem verifying https certificates.
This is specific to the ChimeraX python, probably because we have openssl in prereqs instead of using the system ssl. Why are we including openssl? The prereqs/README should document why.
The attached test program that uses urllib to open an https url does not work in ChimeraX but does work in Python3.5 installed on my Mac OS 10.11 system.
Fetching cellpack data exhibits this error. But I've put a work-around in the code to verify certificates for cellpack fetch. Easiest to use the attached test program to reproduce the error. To test the cellpack case modify io.py fetch_file() to set check_certificates = True.
open cellpack:HIV-1_0.1.6
Fetching url https://github.com/mesoscope/cellPACK_data/raw/master/cellPACK_database_1.1.0/results/HIV-1_0.1.6.apr.json failed:
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:646)>
Attachments (1)
Change History (7)
by , 10 years ago
Attachment: | testssl.py added |
---|
comment:1 by , 10 years ago
comment:2 by , 10 years ago
Status: | new → accepted |
---|
It also fails on Linux but works in Chimera 1.10 on Linux. We do compile OpenSSL for Chimera 1.10 on Linux. So it doesn't appear to be related to compiling OpenSSL.
Running "openssl s_client -no_ssl2 -no_ssl3 -connect raw.githubusercontent.com:443", where git.com is redirected to, gives "Verify return code: 20 (unable to get local issuer certificate)". Googling for that says that is missing an appropriate root certificate. On Ubuntu, adding "-CApath /etc/ssl/certs" to the s_client command line gives: "Verify return code: 0 (ok)".
So the problem is not having the root certificates. No sure why the -CApath argument was needed, since it appears that the root certificates are where Ubuntu's OpenSSL would expect them to be.
comment:4 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | accepted → closed |
For linux, added code to configure bundled OpenSLL to use the system's CA file.
The Mac now uses the system's OpenSSL, so no need to do anything there -- this choice for the Mac was made because we don't want to maintain the CA (certificate authority) file, and I couldn't find it on Mac OS X 10.10. For linux, chimerax will run a variety of systems, so it is safer to bundle our own version for now.
Tom, you should be able to change cellpack to check certificates.
comment:7 by , 10 years ago
cellPACK fetch is now working on the Mac leaving https certificate checking enabled.
The cellpack fetch also works in Chimera 1.10 daily build and is fetching the same url but with Python 2.