SSL Verification

Jerry's Avatar

Jerry

21 Jul, 2016 05:57 PM

Hey Marcin,

Thank you for your cooperation, outstanding customer service. Still I've been poking around with the SSL verification problem, I have noticed that turning on Web: Require SSL for vcs operations, causes Error 406 as described. When that option is turned off it seems everything works beautifully. So this indicates our SSL certificates don't verify but we've left this off so everything works fine. However, issues occur when you try to create a new repo via importing a repo that rhodecode already manages. Even with SSL checking turned off, there appears to be an SSL check at this step, which fails. Do you know where the setting is within rhodecode that points to the ssl cert or ca that is used to do this check?

Best,

Jerry Jones IV

  1. 1 Posted by Jerry Jones on 27 Jul, 2016 12:24 PM

    Jerry Jones's Avatar

    So I've decided to run some tests, I have upgraded our servers to 3.8.4, the latest available without going to 4.X. However, as soon as I update to the earliest version of 4.X (4.1.2) cloning a repo rhodecode already manages causes the SSL error. I am unsure if upgrading to 4.X changed the verification process from 3.X but I am currently doing a file by file comparison of enterprise-1 production and rhodecode files, pki/tls/certs, among others to see if any changes have been made due to the update that would cause this error.

  2. 2 Posted by Jerry Jones on 28 Jul, 2016 06:05 PM

    Jerry Jones's Avatar

    So, I've narrowed it down to python updating from 2.6.x to 2.7.11 causing issues. Python 2.7.9+ conducts default SSL checks. Apache has been enabled to do this, so there is no need for python to also. I am thinking we just need to disable this feature. Only issue is I am unsure which .py file rhodecode uses to do the checks.

  3. Support Staff 3 Posted by Marcin Kuzminsk... on 29 Jul, 2016 03:03 PM

    Marcin Kuzminski's Avatar

    Hi Jerry-

    In 4.X series we updated Python to latest version which has much stricter SSL checks, and in addition also we used an updated OpenSSL version.

    This might be very hard to disabled easily. I think we need to check this with our team in much details.

  4. Support Staff 4 Posted by Marcin Kuzminsk... on 29 Jul, 2016 03:05 PM

    Marcin Kuzminski's Avatar

    Ticket was backported to issue tracker: https://issues.rhodecode.com/issues/4138 on 2016-07-29T15:06:09Z

  5. Support Staff 5 Posted by Marcin Kuzminsk... on 29 Jul, 2016 03:05 PM

    Marcin Kuzminski's Avatar

    If your apache is verifying SSL, please then disable the require SSL it duplicates the checks.

  6. 6 Posted by Jerry Jones on 29 Jul, 2016 05:54 PM

    Jerry Jones's Avatar

    Thank you for getting back to me. Since this issue has been ticketed I will wait for you to let me know when you discover a solution! I am not quite ready to settle on version 3.8.4 so talk with me about this as an alternative solution.

    I'd like to see if its feasible to instead update the paths and files python uses to perform its SSL checks. The updated Python by default finds the path to the certs automatically and checks SSL. The paths and files are incorrect causes these errors. If we can't turn it off, maybe its possible to change the default paths to those that matches my environment. If it can pass the SSL checks (like apache does) then I can decide on if apache will keep checking SSL.

    By following the path listed on Admin -> Settings -> System Info, I can find the path to the python installation. Using that, then running this command in python:

    ssl.get_default_verify_paths()

    I am returned with tuples of where the certs it will be looking for are located. Some of these values are gained from system environment variables, and some are not. Do you know a way to change the ones that are not?

  7. Support Staff 7 Posted by Marcin Kuzminsk... on 02 Sep, 2016 08:07 AM

    Marcin Kuzminski's Avatar

    Hi Jerry,

    a quick update on our side. We did more investigation on this issues and found out that this solution should fix the problem for 4.X series with updated python: https://community.rhodecode.com/t/cloning-problem-over-ssl/49/22?u=...

    Could you check this out and verify our tests, if this works also for you we'll add this fix into next installer iteration.

    Best,

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac