Uri Bialik

Web-services - Working with self-signed certificates

Discussion created by Uri Bialik Expert on Dec 23, 2015

When making a web-service request to the management server an https connection is created.

Typically, keep the Gaia portal certificate and do not replace it was a "real" certificate from an trusted certificate authority.

 

Keeping Gaia's certificate means that:

* Browsers are expected to warn you from entering the Gaia portal.

* Some tools and programming language will not allow you to connect to the management server via web-services because they would report that the server's certificate is not trusted

 

There are a few options:

* Replace Gaia's portal certificate with a trusted certificate - See sk97648

* Bypass the SSL certificate checks - This is highly not recommend as it leaves you vulnerable to a man-in-the-middle attack.

* Verify the server's identity by checking the certificate's fingerprint (a.k.a certificate's thumbprint).

 

Here are code snippets that verify the server's fingerprint using c# and Python:

Using C#

                ServicePointManager.ServerCertificateValidationCallback = delegate(object obj, System.Security.Cryptography.X509Certificates.X509Certificate certificate, System.Security.Cryptography.X509Certificates.X509Chain chain, System.Net.Security.SslPolicyErrors errors)
                {
                    // validate fingerprint hash
                    if (certificate.GetCertHashString() == expected_fingerprint) 
                    {
                        return true;
                    }


                    return false;
                };

 

Using Python

 

class HTTPSConnection(httplib.HTTPSConnection):
    """
    Class for handling the HTTPS Connection
    """
    def connect(self):
        httplib.HTTPConnection.connect(self)
        self.sock = ssl.wrap_socket(
            self.sock, self.key_file, self.cert_file,
            cert_reqs=ssl.CERT_NONE)
        if getattr(self, 'fingerprint') is not None:
            digest = self.fingerprint
            alg = "SHA1"
            fingerprint = hashlib.new(
                alg, self.sock.getpeercert(True)).hexdigest().upper()
            if fingerprint != digest.replace(':', '').upper():
                raise Exception('fingerprint mismatch: %s' % fingerprint)


    def get_fingerprint_hash(self):
        httplib.HTTPConnection.connect(self)
        self.sock = ssl.wrap_socket(
            self.sock, self.key_file, self.cert_file,
            cert_reqs=ssl.CERT_NONE)
        fingerprint = hashlib.new(
            "SHA1", self.sock.getpeercert(True)).hexdigest()
        return fingerprint.upper()

 

To get the server's fingerprint in a secure way, run "api fingerprint" on the management server.

Outcomes