[yocto] Missing certificates
Gary Thomas
gary at mlbassoc.com
Mon Jul 27 07:05:05 PDT 2015
On 2015-07-24 12:02, Gary Thomas wrote:
> I was trying to run a simple fetch from python using
> url = 'https://raw.github.com/Itseez/opencv/master/samples/c/fruits.jpg'
> filedata = urllib2.urlopen(url).read()
>
> This failed:
> Traceback (most recent call last):
> File "./edge.py", line 36, in <module>
> filedata = urllib2.urlopen(url).read()
> File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
> return opener.open(url, data, timeout)
> File "/usr/lib/python2.7/urllib2.py", line 431, in open
> response = self._open(req, data)
> File "/usr/lib/python2.7/urllib2.py", line 449, in _open
> '_open', req)
> File "/usr/lib/python2.7/urllib2.py", line 409, in _call_chain
> result = func(*args)
> File "/usr/lib/python2.7/urllib2.py", line 1240, in https_open
> context=self._context)
> File "/usr/lib/python2.7/urllib2.py", line 1197, in do_open
> raise URLError(err)
> urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>
>
> I can see that it was looking for some certificates in /usr/lib/ssl/certs
> but that directory is missing.
>
> Anyone know what I might be missing (or have misconfigured)?
>
> Thanks
>
I've found a discussion about this problem on the OpenEmbedded
development list:
http://lists.openembedded.org/pipermail/openembedded-devel/2015-July/102160.html
So the problem that this has uncovered is twofold:
1) Python (and OpenSSL) are not using the certificates that are installed by the ca-certificates package
OpenSSL expects the certificates in /usr/lib/ssl/certs and ca-certificates uses /etc/ssl/certs
2) The certificates from ca-certificates are not immediately usable by OpenSSL since they are not
hashed. This is done by the 'c_rehash' program but has been explicitly disabled by a patch.
Further exploration implies that this was disabled because not all targets will have c_rehash
available and since the hashing is expected to be done on the target when the certificates
are loaded/updated. Finally, c_rehash, may or may not exist in the OpenSSL packages, depending
on whether or not perl is available on the target (it's a perl script)
How best to solve this? As is, python htts:// support is broken in OE-core, so I think an
off-the-shelf solution is warranted.
Perhaps the PACKAGECONFIG for openssl should default to supporting perl on the target, and hence
the c_rehash utility would be available? Certainly the choice of where the certificates live, etc,
should be standardized.
Maybe the c_rehash can be run at package build time for ca-certificates? This would make things work,
at least for the real CA certificates.
Ideas?
--
------------------------------------------------------------
Gary Thomas | Consulting for the
MLB Associates | Embedded world
------------------------------------------------------------
More information about the yocto
mailing list