Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#207 closed defect (fixed)

ssl certificate verification error in cellPACK fetch

Reported by: Tom Goddard Owned by: Greg Couch
Priority: major Milestone:
Component: Infrastructure Version:
Keywords: Cc: conrad@…
Blocked By: Blocking:
Notify when closed: Platform: Mac OS X (Cocoa 64)
Project: ChimeraX

Description

ChimeraX python has a problem verifying https certificates.

This is specific to the ChimeraX python, probably because we have openssl in prereqs instead of using the system ssl. Why are we including openssl? The prereqs/README should document why.

The attached test program that uses urllib to open an https url does not work in ChimeraX but does work in Python3.5 installed on my Mac OS 10.11 system.

Fetching cellpack data exhibits this error. But I've put a work-around in the code to verify certificates for cellpack fetch. Easiest to use the attached test program to reproduce the error. To test the cellpack case modify io.py fetch_file() to set check_certificates = True.

open cellpack:HIV-1_0.1.6
Fetching url https://github.com/mesoscope/cellPACK_data/raw/master/cellPACK_database_1.1.0/results/HIV-1_0.1.6.apr.json failed:

<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:646)>

Attachments (1)

testssl.py (203 bytes ) - added by Tom Goddard 10 years ago.

Download all attachments as: .zip

Change History (7)

by Tom Goddard, 10 years ago

Attachment: testssl.py added

comment:1 by Tom Goddard, 10 years ago

The cellpack fetch also works in Chimera 1.10 daily build and is fetching the same url but with Python 2.

comment:2 by Greg Couch, 10 years ago

Status: newaccepted

It also fails on Linux but works in Chimera 1.10 on Linux. We do compile OpenSSL for Chimera 1.10 on Linux. So it doesn't appear to be related to compiling OpenSSL.

Running "openssl s_client -no_ssl2 -no_ssl3 -connect raw.githubusercontent.com:443", where git.com is redirected to, gives "Verify return code: 20 (unable to get local issuer certificate)". Googling for that says that is missing an appropriate root certificate. On Ubuntu, adding "-CApath /etc/ssl/certs" to the s_client command line gives: "Verify return code: 0 (ok)".

So the problem is not having the root certificates. No sure why the -CApath argument was needed, since it appears that the root certificates are where Ubuntu's OpenSSL would expect them to be.

comment:3 by Greg Couch, 10 years ago

Turned off the building of OpenSSL on Mac OS X.

comment:4 by Greg Couch, 10 years ago

Resolution: fixed
Status: acceptedclosed

For linux, added code to configure bundled OpenSLL to use the system's CA file.

The Mac now uses the system's OpenSSL, so no need to do anything there -- this choice for the Mac was made because we don't want to maintain the CA (certificate authority) file, and I couldn't find it on Mac OS X 10.10. For linux, chimerax will run a variety of systems, so it is safer to bundle our own version for now.

Tom, you should be able to change cellpack to check certificates.

comment:6 by goddard@…, 10 years ago

Thanks, I’ll try it on Monday.


comment:7 by goddard@…, 10 years ago

cellPACK fetch is now working on the Mac leaving https certificate checking enabled.

Note: See TracTickets for help on using tickets.