0

I am using aiohttp python package to make get requests. On my MacBook M2 2022 device, I see SSL verification failed Exception raised all the time.
I have gone through this issue. I have applied certifi patch and still it's not working. Based on another issue, it suggests setting parameter ssl=False, which actually works. I know this is not a right way and how dangerous this is depends on what the get request is dealing with. In my scenario, I am using get request to fetch some data from the YouTube server and writing that data to a file.
I did read through this issue that discusses on the safety of disabling the SSL certificate validation. But I am still not fully convinced that it might be safe in my scenario. Hence, this question!
So, how safe is it in my scenario to disable the SSL certificate verification?
Or
Is there any other way to solve this issue?

Traceback (most recent call last):
File "/Users/wade/Library/Python/3.11/lib/python/site-packages/aiohttp/connector.py", line 980, in _wrap_create_connection
return await self._loop.create_connection(*args, **kwargs)  # type: ignore[return-value]  # noqa
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/base_events.py", line 1112, in create_connection
transport, protocol = await self._create_connection_transport(
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/base_events.py", line 1145, in _create_connection_transport
await waiter
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/sslproto.py", line 574, in _on_handshake_complete
raise handshake_exc
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/sslproto.py", line 556, in _do_handshake
self._sslobj.do_handshake()
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/ssl.py", line 979, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:1002)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File "/Users/wade/test.py", line 12, in <module>
asyncio.run(main())
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/runners.py", line 190, in run
return runner.run(main)
       ^^^^^^^^^^^^^^^^
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/runners.py", line 118, in run
return self._loop.run_until_complete(task)
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/opt/local/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
return future.result()
       ^^^^^^^^^^^^^^^
File "/Users/wade/test.py", line 9, in main
async with session.get(url) as resp:
File "/Users/wade/Library/Python/3.11/lib/python/site-packages/aiohttp/client.py", line 1141, in __aenter__
self._resp = await self._coro
             ^^^^^^^^^^^^^^^^
File "/Users/wade/Library/Python/3.11/lib/python/site-packages/aiohttp/client.py", line 536, in _request
conn = await self._connector.connect(
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/wade/Library/Python/3.11/lib/python/site-packages/aiohttp/connector.py", line 540, in connect
proto = await self._create_connection(req, traces, timeout)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/wade/Library/Python/3.11/lib/python/site-packages/aiohttp/connector.py", line 901, in _create_connection
_, proto = await self._create_direct_connection(req, traces, timeout)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/wade/Library/Python/3.11/lib/python/site-packages/aiohttp/connector.py", line 1206, in _create_direct_connection
raise last_exc
File "/Users/wade/Library/Python/3.11/lib/python/site-packages/aiohttp/connector.py", line 1175, in _create_direct_connection
transp, proto = await self._wrap_create_connection(
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/wade/Library/Python/3.11/lib/python/site-packages/aiohttp/connector.py", line 984, in _wrap_create_connection
raise ClientConnectorSSLError(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host stackoverflow.com:443 ssl:default [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:1002)]
Trevor Philip
  • 33
  • 7
  • If you disable ssl(validation), you lose the ability to tell if someone is impersonating the server. Depends on how much you would mind if that happened. If you're just downloading some stuff, maybe it is ok. If you are logged in, sending a login name and password off into the unknown would definitely not be ok. – teapot418 May 29 '23 at 14:56
  • @teapot418 No, I have not logged in or sending any kind of sensitive information. To be more precise, I just make a request to youtube.com/{some path}/{query params} and save the response data to a file. – Trevor Philip May 29 '23 at 15:40

1 Answers1

0

The risk in your case is very low. As pointed out, you're not sending any secrets that could be stolen and you're not executing the content you're downloading. Worst case scenario, the content you download is not correct. It is up to you to analyze your threat model and decide if that is okay. For a personal project that you're testing out that's probably fine. If this is a company internal application that all employees will use then that is probably a risk you don't want to take.

rene
  • 146
  • 5