You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@libcloud.apache.org by Troy Cauble <tr...@gmail.com> on 2016/07/30 12:26:44 UTC

[dev] Re: ssl and proxy issue "Failed to verify hostname"

Maybe I wasn't clear.  I said I initially *thought* it was a MitM type proxy
but then I replicated the problem with polipo an open source proxy
that is not MitM.

Also, ansible and other Python tools get through our corporate proxy
fine, so it may not be MitMing at all.

-troy

On Fri, Jul 29, 2016 at 3:41 PM, Troy Cauble <tr...@gmail.com> wrote:

> I'm using libcloud 1.1.0 on python 2.7.10 and
> ubuntu 15.10.
>
> Here's hoping this is a mismatched package
>
> $ pip list
> apache-libcloud (1.1.0)
> argparse (1.2.1)
> boto (2.42.0)
> certifi (2016.2.28)
> cffi (1.7.0)
> cryptography (1.4)
> docopt (0.6.2)
> enum34 (1.1.6)
> idna (2.1)
> ipaddress (1.0.16)
> paramiko (2.0.2)
> pip (1.5.6)
> pyasn1 (0.1.9)
> pycparser (2.14)
> setuptools (18.4)
> six (1.10.0)
> wsgiref (0.1.2)
>
>
> When I don't set
>      libcloud.security.VERIFY_SSL_CERT = False
> I see the following exception using the proxy at work.
>
>     ...
>     sg = driver.ex_get_security_groups(group_names=[sg_nm])
>   File
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/compute/drivers/ec2.py",
> line 3818, in ex_get_security_groups
>     response = self.connection.request(self.path, params=params)
>   File
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/common/base.py",
> line 851, in request
>     raise ssl.SSLError(str(e))
> ssl.SSLError: ('("Failed to verify hostname: hostname \'proxy.
> <http://proxy.proxy.alcatel-lucent.com/>MYCOMPANY.com\' doesn\'t match
> either of \'us-west-2.ec2.amazonaws.com\', \'ec2.us-west-2.amazonaws.com
> \'",)',)
>
>
>
> It's complaining that the company proxy FQDN doesn't match
> the amazonaws FQDNs.
>
> At first I thought it might be a man-in-the-middle style corporate proxy
> cert issue.
> But then I replicated it using polipo.
>
> Any ideas?
> Thanks,
> -troy
>
> -troy
>

Re: [dev] Re: ssl and proxy issue "Failed to verify hostname"

Posted by Allard Hoeve <al...@gmail.com>.

Well, any HTTP proxy is technically MitM by design ;-)

Check if you can configure a SOCKS proxy, that type only forwards tcp
connections, leaving TLS intact.





On Sat, Jul 30, 2016, 14:27 Troy Cauble <tr...@gmail.com> wrote:

> Maybe I wasn't clear.  I said I initially *thought* it was a MitM type
> proxy
> but then I replicated the problem with polipo an open source proxy
> that is not MitM.
>
> Also, ansible and other Python tools get through our corporate proxy
> fine, so it may not be MitMing at all.
>
> -troy
>
> On Fri, Jul 29, 2016 at 3:41 PM, Troy Cauble <tr...@gmail.com> wrote:
>
> > I'm using libcloud 1.1.0 on python 2.7.10 and
> > ubuntu 15.10.
> >
> > Here's hoping this is a mismatched package
> >
> > $ pip list
> > apache-libcloud (1.1.0)
> > argparse (1.2.1)
> > boto (2.42.0)
> > certifi (2016.2.28)
> > cffi (1.7.0)
> > cryptography (1.4)
> > docopt (0.6.2)
> > enum34 (1.1.6)
> > idna (2.1)
> > ipaddress (1.0.16)
> > paramiko (2.0.2)
> > pip (1.5.6)
> > pyasn1 (0.1.9)
> > pycparser (2.14)
> > setuptools (18.4)
> > six (1.10.0)
> > wsgiref (0.1.2)
> >
> >
> > When I don't set
> >      libcloud.security.VERIFY_SSL_CERT = False
> > I see the following exception using the proxy at work.
> >
> >     ...
> >     sg = driver.ex_get_security_groups(group_names=[sg_nm])
> >   File
> >
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/compute/drivers/ec2.py",
> > line 3818, in ex_get_security_groups
> >     response = self.connection.request(self.path, params=params)
> >   File
> >
> "/home/troy/B2/local/lib/python2.7/site-packages/libcloud/common/base.py",
> > line 851, in request
> >     raise ssl.SSLError(str(e))
> > ssl.SSLError: ('("Failed to verify hostname: hostname \'proxy.
> > <http://proxy.proxy.alcatel-lucent.com/>MYCOMPANY.com\' doesn\'t match
> > either of \'us-west-2.ec2.amazonaws.com\', \'ec2.us-west-2.amazonaws.com
> > \'",)',)
> >
> >
> >
> > It's complaining that the company proxy FQDN doesn't match
> > the amazonaws FQDNs.
> >
> > At first I thought it might be a man-in-the-middle style corporate proxy
> > cert issue.
> > But then I replicated it using polipo.
> >
> > Any ideas?
> > Thanks,
> > -troy
> >
> > -troy
> >
>