2

We recently migrated into a new development platform. We are still setting up some parts for our whole workflow to work without issues. We have this one problem where we need to promote a project into Production but we keep getting an error in the server. Our team is not well versed in IronPython to easily resolve this.

I am editing the script concerned regarding this. The original script is as follows: (Please note that I have edited/removed confidential and unnecessary parts)

def callWebService(URI, setProjectState): 
    job = jobs[0]
    job.AddNote(0, job.CurrentVersion, ('%s.' % (job.Id)))

    PARAMETERS='{"id": "%s", "someData": "%s"}' % (job.Id, setProjectState)

    from System.Net import WebRequest
    request = WebRequest.Create(URI)
    request.ContentType = "application/json"
    request.Method = "POST"

    from System.Text import Encoding
    bytes = Encoding.ASCII.GetBytes(PARAMETERS)
    request.ContentLength = bytes.Length
    reqStream = request.GetRequestStream()
    reqStream.Write(bytes, 0, bytes.Length)
    reqStream.Close()

    response = request.GetResponse()

    from System.IO import StreamReader
    result = StreamReader(response.GetResponseStream()).ReadToEnd()
    print result
    return; 

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12   

callWebService('https://somesite.com/needtoposthere', 'Production')

The new platform's support told us that in order to resolve this, we need to bypass the ssl verification part because it is only in this part of our workflow that we are posting data to an HTTPS url since it's production.

I have tried numerous ways such as adding the ff code:

import ssl

try:
    _create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
    pass
else:
    ssl._create_default_https_context = _create_unverified_https_context

Also tried inserting this one as recommended by support:

from System.Net import ServicePointManager
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

and

from System.Net import ServicePointManager
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072

I've also tried using the verify = false of the ssl library but still keeps on getting errors.

For the first solution, the error that I'm getting is the ssl module can't seem to be imported. Logs show the error module named "ssl" cannot be found". I tried declaring the import like this same as the other import declarations: from System.Net import ssl but still gets the same error.

For the second solution, the script can't recognize the SecurityProtocolType even though the ServicePointManager has been imported successfully.

I don't understand why I can't seem to import even Python's built-in libraries (ssl). Please do understand that the script I've posted is the only one that we can tinker since we do not have access to the other scripts at all.

Paradigm
  • 159
  • 1
  • 3
  • 11

1 Answers1

1

When using .NET's WebRequest you are bypassing all SSL/TLS-infrastructure that might be in standard python and you need to change SSL/TLS settings on the .NET side.

Given that the module ssl was not found it is either not on the module lookup path or not compatible with IronPython (as it might be native).

Warning: The following sample disables all certificate validation and is NOT SUITABLE FOR PRODUCTION Furthermore it restricts the SSL/TLS version to 1.2 only.

from System.Net import ServicePointManager, SecurityProtocolType
ServicePointManager.ServerCertificateValidationCallback = lambda sender, certificate, chain, sslPolicyErrors: True
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

If possible you should avoid fully disabling certificate validation and do at least some kind of thumbprint check which means that you are pinning and allowing only a single, expected, not fully valid development certificate. This could look something like

def certificateCheck(sender, certificate, chain, sslPolicyErrors):
    # check for certificate whitelist, specific root certificate etc.
    # print certificate
    return certificate.Thumbprint == "..."

ServicePointManager.ServerCertificateValidationCallback = certificateCheck
Simon Opelt
  • 6,136
  • 2
  • 35
  • 66
  • So that's why I can't import the ssl module. Thank you for the shared knowledge. I really haven't thought of adding the SecurityProtocolType since I assumed that importing ServicePointManager will be enough. We are only doing this temporary fix since Support said that the issue will be resolved in the next update of their software but is not yet available as of the moment – Paradigm Mar 30 '19 at 09:46
  • yep, I've added another snippet to my answer that shows how you could approach checking for a specific certificate to avoid accepting anything. Give it a try and please mark the answer if that solves your question. – Simon Opelt Mar 30 '19 at 10:23
  • Sorry for the late accept, we were able to test this just yesterday. Works like a charm! – Paradigm Apr 15 '19 at 23:41