cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Web-services - Working with self-signed certificates

When making a web-service request to the management server an https connection is created.

Typically, keep the Gaia portal certificate and do not replace it was a "real" certificate from an trusted certificate authority.

Keeping Gaia's certificate means that:

* Browsers are expected to warn you from entering the Gaia portal.

* Some tools and programming language will not allow you to connect to the management server via web-services because they would report that the server's certificate is not trusted

There are a few options:

* Replace Gaia's portal certificate with a trusted certificate - See sk97648

* Bypass the SSL certificate checks - This is highly not recommend as it leaves you vulnerable to a man-in-the-middle attack.

* Verify the server's identity by checking the certificate's fingerprint (a.k.a certificate's thumbprint).

Here are code snippets that verify the server's fingerprint using c# and Python:

Using C#

                ServicePointManager.ServerCertificateValidationCallback = delegate(object obj, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors errors)

                {

                    // validate fingerprint hash

                    if (certificate.GetCertHashString() == expected_fingerprint)

                    {

                        return true;

                    }

                    return false;

                };

Using Python

class HTTPSConnection(httplib.HTTPSConnection):

    """

    Class for handling the HTTPS Connection

    """

    def connect(self):

        httplib.HTTPConnection.connect(self)

        self.sock = ssl.wrap_socket(

            self.sock, self.key_file, self.cert_file,

            cert_reqs=ssl.CERT_NONE)

        if getattr(self, 'fingerprint') is not None:

            digest = self.fingerprint

            alg = "SHA1"

            fingerprint = hashlib.new(

                alg, self.sock.getpeercert(True)).hexdigest().upper()

            if fingerprint != digest.replace(':', '').upper():

                raise Exception('fingerprint mismatch: %s' % fingerprint)

    def get_fingerprint_hash(self):

        httplib.HTTPConnection.connect(self)

        self.sock = ssl.wrap_socket(

            self.sock, self.key_file, self.cert_file,

            cert_reqs=ssl.CERT_NONE)

        fingerprint = hashlib.new(

            "SHA1", self.sock.getpeercert(True)).hexdigest()

        return fingerprint.upper()

To get the server's fingerprint in a secure way, run "api fingerprint" on the management server.

Labels (1)