You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@libcloud.apache.org by Troy Cauble <tr...@gmail.com> on 2016/07/29 19:41:30 UTC
[dev] ssl and proxy issue "Failed to verify hostname"
I'm using libcloud 1.1.0 on python 2.7.10 and
ubuntu 15.10.
Here's hoping this is a mismatched package
$ pip list
apache-libcloud (1.1.0)
argparse (1.2.1)
boto (2.42.0)
certifi (2016.2.28)
cffi (1.7.0)
cryptography (1.4)
docopt (0.6.2)
enum34 (1.1.6)
idna (2.1)
ipaddress (1.0.16)
paramiko (2.0.2)
pip (1.5.6)
pyasn1 (0.1.9)
pycparser (2.14)
setuptools (18.4)
six (1.10.0)
wsgiref (0.1.2)
When I don't set
libcloud.security.VERIFY_SSL_CERT = False
I see the following exception using the proxy at work.
...
sg = driver.ex_get_security_groups(group_names=[sg_nm])
File
"/home/troy/B2/local/lib/python2.7/site-packages/libcloud/compute/drivers/ec2.py",
line 3818, in ex_get_security_groups
response = self.connection.request(self.path, params=params)
File
"/home/troy/B2/local/lib/python2.7/site-packages/libcloud/common/base.py",
line 851, in request
raise ssl.SSLError(str(e))
ssl.SSLError: ('("Failed to verify hostname: hostname \'proxy.
<http://proxy.proxy.alcatel-lucent.com/>MYCOMPANY.com\' doesn\'t match
either of \'us-west-2.ec2.amazonaws.com\', \'ec2.us-west-2.amazonaws.com
\'",)',)
It's complaining that the company proxy FQDN doesn't match
the amazonaws FQDNs.
At first I thought it might be a man-in-the-middle style corporate proxy
cert issue.
But then I replicated it using polipo.
Any ideas?
Thanks,
-troy
-troy
Re: [dev] ssl and proxy issue "Failed to verify hostname"
Posted by Tomaz Muraus <to...@apache.org>.
Yeah, what Samuel has said - Libcloud is working as intended.
It's notifying you that you are being MITMed, in your case by a corporate
proxy.
On Sat, Jul 30, 2016 at 12:19 PM, Samuel Marks <sa...@gmail.com>
wrote:
> It is being proxied through your company's network. What are your
> HTTP_PROXY/HTTPS_PROXY environment variables set to? - It might be
> happening at a different layer, but just checking.
>
> Regardless libcloud is correct to not verify that hostname, as it clearly
> isn't Amazon. If you can't disable the proxy but it still goes through to
> AWS, then just disable verification like you've done.
>
>
> Samuel Marks
> http://linkedin.com/in/samuelmarks
>
> On Sat, Jul 30, 2016 at 5:41 AM, Troy Cauble <tr...@gmail.com> wrote:
>
> > I'm using libcloud 1.1.0 on python 2.7.10 and
> > ubuntu 15.10.
> >
> > Here's hoping this is a mismatched package
> >
> > $ pip list
> > apache-libcloud (1.1.0)
> > argparse (1.2.1)
> > boto (2.42.0)
> > certifi (2016.2.28)
> > cffi (1.7.0)
> > cryptography (1.4)
> > docopt (0.6.2)
> > enum34 (1.1.6)
> > idna (2.1)
> > ipaddress (1.0.16)
> > paramiko (2.0.2)
> > pip (1.5.6)
> > pyasn1 (0.1.9)
> > pycparser (2.14)
> > setuptools (18.4)
> > six (1.10.0)
> > wsgiref (0.1.2)
> >
> >
> > When I don't set
> > libcloud.security.VERIFY_SSL_CERT = False
> > I see the following exception using the proxy at work.
> >
> > ...
> > sg = driver.ex_get_security_groups(group_names=[sg_nm])
> > File
> >
> >
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/compute/drivers/ec2.py",
> > line 3818, in ex_get_security_groups
> > response = self.connection.request(self.path, params=params)
> > File
> >
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/common/base.py",
> > line 851, in request
> > raise ssl.SSLError(str(e))
> > ssl.SSLError: ('("Failed to verify hostname: hostname \'proxy.
> > <http://proxy.proxy.alcatel-lucent.com/>MYCOMPANY.com\' doesn\'t match
> > either of \'us-west-2.ec2.amazonaws.com\', \'ec2.us-west-2.amazonaws.com
> > \'",)',)
> >
> >
> >
> > It's complaining that the company proxy FQDN doesn't match
> > the amazonaws FQDNs.
> >
> > At first I thought it might be a man-in-the-middle style corporate proxy
> > cert issue.
> > But then I replicated it using polipo.
> >
> > Any ideas?
> > Thanks,
> > -troy
> >
> > -troy
> >
>
Re: [dev] ssl and proxy issue "Failed to verify hostname"
Posted by Samuel Marks <sa...@gmail.com>.
It is being proxied through your company's network. What are your
HTTP_PROXY/HTTPS_PROXY environment variables set to? - It might be
happening at a different layer, but just checking.
Regardless libcloud is correct to not verify that hostname, as it clearly
isn't Amazon. If you can't disable the proxy but it still goes through to
AWS, then just disable verification like you've done.
Samuel Marks
http://linkedin.com/in/samuelmarks
On Sat, Jul 30, 2016 at 5:41 AM, Troy Cauble <tr...@gmail.com> wrote:
> I'm using libcloud 1.1.0 on python 2.7.10 and
> ubuntu 15.10.
>
> Here's hoping this is a mismatched package
>
> $ pip list
> apache-libcloud (1.1.0)
> argparse (1.2.1)
> boto (2.42.0)
> certifi (2016.2.28)
> cffi (1.7.0)
> cryptography (1.4)
> docopt (0.6.2)
> enum34 (1.1.6)
> idna (2.1)
> ipaddress (1.0.16)
> paramiko (2.0.2)
> pip (1.5.6)
> pyasn1 (0.1.9)
> pycparser (2.14)
> setuptools (18.4)
> six (1.10.0)
> wsgiref (0.1.2)
>
>
> When I don't set
> libcloud.security.VERIFY_SSL_CERT = False
> I see the following exception using the proxy at work.
>
> ...
> sg = driver.ex_get_security_groups(group_names=[sg_nm])
> File
>
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/compute/drivers/ec2.py",
> line 3818, in ex_get_security_groups
> response = self.connection.request(self.path, params=params)
> File
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/common/base.py",
> line 851, in request
> raise ssl.SSLError(str(e))
> ssl.SSLError: ('("Failed to verify hostname: hostname \'proxy.
> <http://proxy.proxy.alcatel-lucent.com/>MYCOMPANY.com\' doesn\'t match
> either of \'us-west-2.ec2.amazonaws.com\', \'ec2.us-west-2.amazonaws.com
> \'",)',)
>
>
>
> It's complaining that the company proxy FQDN doesn't match
> the amazonaws FQDNs.
>
> At first I thought it might be a man-in-the-middle style corporate proxy
> cert issue.
> But then I replicated it using polipo.
>
> Any ideas?
> Thanks,
> -troy
>
> -troy
>
Re: [dev] Re: ssl and proxy issue "Failed to verify hostname"
Posted by Allard Hoeve <al...@gmail.com>.
Well, any HTTP proxy is technically MitM by design ;-)
Check if you can configure a SOCKS proxy, that type only forwards tcp
connections, leaving TLS intact.
On Sat, Jul 30, 2016, 14:27 Troy Cauble <tr...@gmail.com> wrote:
> Maybe I wasn't clear. I said I initially *thought* it was a MitM type
> proxy
> but then I replicated the problem with polipo an open source proxy
> that is not MitM.
>
> Also, ansible and other Python tools get through our corporate proxy
> fine, so it may not be MitMing at all.
>
> -troy
>
> On Fri, Jul 29, 2016 at 3:41 PM, Troy Cauble <tr...@gmail.com> wrote:
>
> > I'm using libcloud 1.1.0 on python 2.7.10 and
> > ubuntu 15.10.
> >
> > Here's hoping this is a mismatched package
> >
> > $ pip list
> > apache-libcloud (1.1.0)
> > argparse (1.2.1)
> > boto (2.42.0)
> > certifi (2016.2.28)
> > cffi (1.7.0)
> > cryptography (1.4)
> > docopt (0.6.2)
> > enum34 (1.1.6)
> > idna (2.1)
> > ipaddress (1.0.16)
> > paramiko (2.0.2)
> > pip (1.5.6)
> > pyasn1 (0.1.9)
> > pycparser (2.14)
> > setuptools (18.4)
> > six (1.10.0)
> > wsgiref (0.1.2)
> >
> >
> > When I don't set
> > libcloud.security.VERIFY_SSL_CERT = False
> > I see the following exception using the proxy at work.
> >
> > ...
> > sg = driver.ex_get_security_groups(group_names=[sg_nm])
> > File
> >
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/compute/drivers/ec2.py",
> > line 3818, in ex_get_security_groups
> > response = self.connection.request(self.path, params=params)
> > File
> >
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/common/base.py",
> > line 851, in request
> > raise ssl.SSLError(str(e))
> > ssl.SSLError: ('("Failed to verify hostname: hostname \'proxy.
> > <http://proxy.proxy.alcatel-lucent.com/>MYCOMPANY.com\' doesn\'t match
> > either of \'us-west-2.ec2.amazonaws.com\', \'ec2.us-west-2.amazonaws.com
> > \'",)',)
> >
> >
> >
> > It's complaining that the company proxy FQDN doesn't match
> > the amazonaws FQDNs.
> >
> > At first I thought it might be a man-in-the-middle style corporate proxy
> > cert issue.
> > But then I replicated it using polipo.
> >
> > Any ideas?
> > Thanks,
> > -troy
> >
> > -troy
> >
>
[dev] Re: ssl and proxy issue "Failed to verify hostname"
Posted by Troy Cauble <tr...@gmail.com>.
Maybe I wasn't clear. I said I initially *thought* it was a MitM type proxy
but then I replicated the problem with polipo an open source proxy
that is not MitM.
Also, ansible and other Python tools get through our corporate proxy
fine, so it may not be MitMing at all.
-troy
On Fri, Jul 29, 2016 at 3:41 PM, Troy Cauble <tr...@gmail.com> wrote:
> I'm using libcloud 1.1.0 on python 2.7.10 and
> ubuntu 15.10.
>
> Here's hoping this is a mismatched package
>
> $ pip list
> apache-libcloud (1.1.0)
> argparse (1.2.1)
> boto (2.42.0)
> certifi (2016.2.28)
> cffi (1.7.0)
> cryptography (1.4)
> docopt (0.6.2)
> enum34 (1.1.6)
> idna (2.1)
> ipaddress (1.0.16)
> paramiko (2.0.2)
> pip (1.5.6)
> pyasn1 (0.1.9)
> pycparser (2.14)
> setuptools (18.4)
> six (1.10.0)
> wsgiref (0.1.2)
>
>
> When I don't set
> libcloud.security.VERIFY_SSL_CERT = False
> I see the following exception using the proxy at work.
>
> ...
> sg = driver.ex_get_security_groups(group_names=[sg_nm])
> File
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/compute/drivers/ec2.py",
> line 3818, in ex_get_security_groups
> response = self.connection.request(self.path, params=params)
> File
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/common/base.py",
> line 851, in request
> raise ssl.SSLError(str(e))
> ssl.SSLError: ('("Failed to verify hostname: hostname \'proxy.
> <http://proxy.proxy.alcatel-lucent.com/>MYCOMPANY.com\' doesn\'t match
> either of \'us-west-2.ec2.amazonaws.com\', \'ec2.us-west-2.amazonaws.com
> \'",)',)
>
>
>
> It's complaining that the company proxy FQDN doesn't match
> the amazonaws FQDNs.
>
> At first I thought it might be a man-in-the-middle style corporate proxy
> cert issue.
> But then I replicated it using polipo.
>
> Any ideas?
> Thanks,
> -troy
>
> -troy
>