SSL Certificate Verification and Httplib2

I’ve started experimenting with httplib2 to make REST calls to Parse.com. It looks decent enough, but it doesn’t include a root certificate that can validate the Parse SSL certificate. Below, I show examples of (1) the easy work-around and (2) the real solution.

Broken Example

Piecing together tutorial code from httplib2 and Parse.com will give you the following:

import httplib2
header = {'X-Parse-Application-Id':'myAppIdHere',
          'X-Parse-REST-API-Key':'myRestKeyHere'}
url = 'https://api.parse.com/1/classes/myClassHere'
h = httplib2.Http()
resp, content = h.request(url, headers = header)

Executing this will produce the error:

httplib2.SSLHandshakeError: [Errno 1] _ssl.c:499: error:14090086:SSL routines:
   SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Workaround

The workaround is to bypass certificate validation when creating the Http object. It works, but compromises the security of our data.

h = httplib2.Http(
        disable_ssl_certificate_validation=True)

Best Fix

To take advantage of SSL, we need to get httplib2 using the correct root certificate. The first step in this process is finding the right root certificate to use. This is how I did it:

  1. In Firefox, go to https://parse.com
  2. Right-click and drill-down “View Page Info/Security/View Certificate/Details”
  3. Notice “DigiCert High Assurance EV Root CA”
  4. Google this to find the DigiCert certificates page
  5. Right-click and “save-as”: DigiCertHighAssuranceEVRootCA.crt
  6. Use openssl to convert this to a PEM file as follows:
openssl x509 -in DigiCertHighAssuranceEVRootCA.crt 
             -out DigiCertHighAssuranceEVRootCA.pem 
             -outform PEM

This is the root certificate that can validate parse.com. Httplib2 can access it if you copy its contents into the certificate store for httplib2 or if you provide its filesystem path when when constructing the httplib2.Http object. Here’s the improved and final version of the above code:

import httplib2
header = {'X-Parse-Application-Id':'myAppIdHere',
          'X-Parse-REST-API-Key':'myRestKeyHere'}
h = httplib2.Http(ca_certs=
        '/path/to/DigiCertHighAssuranceEVRootCA.pem')
resp, content = h.request(url, headers = header)
Advertisements

Tags: , ,

3 Responses to “SSL Certificate Verification and Httplib2”

  1. bunyk Says:

    Threre is a more easy way, you could just view certificate in Firefox and export it from there as pem file, so there is no need to google certificate and convert it with openssl.

    • romanows Says:

      Wow, this is much better than the method outlined in my post. This was either not available in Firefox when I wrote the post, or else I completely missed the straightforward solution. Thanks for your comment!

  2. cgira Says:

    The most updated certificate can also be obtained from http://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s


%d bloggers like this: