Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Certificate Error on Windows 8 #122

Open
sapi opened this issue Feb 26, 2015 · 14 comments
Open

SSL Certificate Error on Windows 8 #122

sapi opened this issue Feb 26, 2015 · 14 comments
Labels
bug priority: high
Milestone
MyPyTutor 3.1

Comments

@sapi
Copy link
Contributor

sapi commented Feb 26, 2015

Split from #98
This is a critical error, and we cannot release MPT tomorrow without a fix.

SessionManager calls give the following error on Windows 8 (as reported by @starsnabove):

C:\Users\Starsnabove\Documents\mpt>python.exe MyPyTutor.py
Exception in Tkinter callback
Traceback (most recent call last):
  File "C:\Python34\lib\urllib\request.py", line 1182, in do_open
    h.request(req.get_method(), req.selector, req.data, headers)
  File "C:\Python34\lib\http\client.py", line 1088, in request
    self._send_request(method, url, body, headers)
  File "C:\Python34\lib\http\client.py", line 1126, in _send_request
    self.endheaders(body)
  File "C:\Python34\lib\http\client.py", line 1084, in endheaders
    self._send_output(message_body)
  File "C:\Python34\lib\http\client.py", line 922, in _send_output
    self.send(msg)
  File "C:\Python34\lib\http\client.py", line 857, in send
    self.connect()
  File "C:\Python34\lib\http\client.py", line 1231, in connect
    server_hostname=server_hostname)
  File "C:\Python34\lib\ssl.py", line 365, in wrap_socket
    _context=self)
  File "C:\Python34\lib\ssl.py", line 583, in __init__
    self.do_handshake()
  File "C:\Python34\lib\ssl.py", line 810, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c
:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Users\Starsnabove\Documents\mpt\tutorlib\online\session.py", line 171
, in _open
    return self._opener.open(url, data)
  File "C:\Python34\lib\urllib\request.py", line 469, in open
    response = meth(req, response)
  File "C:\Python34\lib\urllib\request.py", line 579, in http_response
    'http', request, response, code, msg, hdrs)
  File "C:\Python34\lib\urllib\request.py", line 501, in error
    result = self._call_chain(*args)
  File "C:\Python34\lib\urllib\request.py", line 441, in _call_chain
    result = func(*args)
  File "C:\Python34\lib\urllib\request.py", line 684, in http_error_302
    return self.parent.open(new, timeout=req.timeout)
  File "C:\Python34\lib\urllib\request.py", line 469, in open
    response = meth(req, response)
  File "C:\Python34\lib\urllib\request.py", line 579, in http_response
    'http', request, response, code, msg, hdrs)
  File "C:\Python34\lib\urllib\request.py", line 501, in error
    result = self._call_chain(*args)
  File "C:\Python34\lib\urllib\request.py", line 441, in _call_chain
    result = func(*args)
  File "C:\Python34\lib\urllib\request.py", line 684, in http_error_302
    return self.parent.open(new, timeout=req.timeout)
  File "C:\Python34\lib\urllib\request.py", line 463, in open
    response = self._open(req, data)
  File "C:\Python34\lib\urllib\request.py", line 481, in _open
    '_open', req)
  File "C:\Python34\lib\urllib\request.py", line 441, in _call_chain
    result = func(*args)
  File "C:\Python34\lib\urllib\request.py", line 1225, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "C:\Python34\lib\urllib\request.py", line 1184, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certifica
te verify failed (_ssl.c:600)>

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Users\Starsnabove\Documents\mpt\tutorlib\interface\web_api.py", line
121, in login
    success = self.session_manager.login(username, password)
  File "C:\Users\Starsnabove\Documents\mpt\tutorlib\online\session.py", line 97,
 in login
    response = self._open(url)
  File "C:\Users\Starsnabove\Documents\mpt\tutorlib\online\session.py", line 178
, in _open
    ) from e
tutorlib.online.exceptions.RequestError: Connection Error.  Check your network c
onnection and try again.

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:\Python34\lib\tkinter\__init__.py", line 1533, in __call__
    return self.func(*args)
  File "C:\Python34\lib\tkinter\__init__.py", line 582, in callit
    func(*args)
  File "C:\Users\Starsnabove\Documents\mpt\tutorlib\gui\app\app.py", line 574, i
n login
    logged_in = self.web_api.login()
  File "C:\Users\Starsnabove\Documents\mpt\tutorlib\interface\web_api.py", line
126, in login
    ) from e
tutorlib.interface.web_api.WebAPIError

I can think of two options.
One would be to create a urllib.requests.HTTPSHandler with a ssl context which has disabled verification, and pass that to build_opener.
Alternatively, we could probably download the public certificate we're using for the server and explicitly include that in the trusted certificate chain.

@jgat Thoughts on how you'd like us to handle this, seeing as you're more familiar with the SSO code?
@sapi sapi added this to the MyPyTutor 3.0 milestone Feb 26, 2015
@jgat
Copy link
Contributor

jgat commented Feb 26, 2015

(On my phone)

Of those two options, the second one sounds more sensible from a security standpoint, but I haven't given consideration to the implementation cost.

Other questions: is this reproducible? Only Win8? On other Win8 machines also? Is this a problem on UQ's end that will probably get fixed by them? (You could probably ask #attic on that last one)

@mijohen
Copy link
Contributor

mijohen commented Feb 26, 2015

Ill do some testing on my windows 8 machine when I get home and see if I can reproduce the error.

-------- Original message --------
From: Jackson Gatenby [email protected]
Date:26/02/2015 18:07 (GMT+10:00)
To: CSSE1001/MyPyTutor [email protected]
Cc:
Subject: Re: [MyPyTutor] SSL Certificate Error on Windows 8 (#122)

(On my phone)

Of those two options, the second one sounds more sensible from a security standpoint, but I haven't given consideration to the implementation cost.

Other questions: is this reproducible? Only Win8? On other Win8 machines also? Is this a problem on UQ's end that will probably get fixed by them? (You could probably ask #attic on that last one)


Reply to this email directly or view it on GitHub.

@sapi
Copy link
Contributor Author

sapi commented Feb 26, 2015

I can log in and synchronise on my housemate's laptop, which is Windows 8.
No issues there.

I don't suppose Vincent has Superfish? :p

On Thursday, February 26, 2015, Michael Henderson [email protected]
wrote:

Ill do some testing on my windows 8 machine when I get home and see if I
can reproduce the error.

-------- Original message --------
From: Jackson Gatenby <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');>
Date:26/02/2015 18:07 (GMT+10:00)
To: CSSE1001/MyPyTutor <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');>
Cc:
Subject: Re: [MyPyTutor] SSL Certificate Error on Windows 8 (#122)

(On my phone)

Of those two options, the second one sounds more sensible from a security
standpoint, but I haven't given consideration to the implementation cost.

Other questions: is this reproducible? Only Win8? On other Win8 machines
also? Is this a problem on UQ's end that will probably get fixed by them?
(You could probably ask #attic on that last one)


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
#122 (comment).

@sapi
Copy link
Contributor Author

sapi commented Feb 26, 2015

That would be great Michael. We really need to hunt this down!

On Thursday, February 26, 2015, Michael Henderson [email protected]
wrote:

Ill do some testing on my windows 8 machine when I get home and see if I
can reproduce the error.

-------- Original message --------
From: Jackson Gatenby <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');>
Date:26/02/2015 18:07 (GMT+10:00)
To: CSSE1001/MyPyTutor <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');>
Cc:
Subject: Re: [MyPyTutor] SSL Certificate Error on Windows 8 (#122)

(On my phone)

Of those two options, the second one sounds more sensible from a security
standpoint, but I haven't given consideration to the implementation cost.

Other questions: is this reproducible? Only Win8? On other Win8 machines
also? Is this a problem on UQ's end that will probably get fixed by them?
(You could probably ask #attic on that last one)


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
#122 (comment).

@starsnabove
Copy link

What is superfish
On 26/02/2015 6:24 pm, "Sean Purdon" [email protected] wrote:

That would be great Michael. We really need to hunt this down!

On Thursday, February 26, 2015, Michael Henderson <
[email protected]>
wrote:

Ill do some testing on my windows 8 machine when I get home and see if I
can reproduce the error.

-------- Original message --------
From: Jackson Gatenby <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');>
Date:26/02/2015 18:07 (GMT+10:00)
To: CSSE1001/MyPyTutor <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');>
Cc:
Subject: Re: [MyPyTutor] SSL Certificate Error on Windows 8 (#122)

(On my phone)

Of those two options, the second one sounds more sensible from a security
standpoint, but I haven't given consideration to the implementation cost.

Other questions: is this reproducible? Only Win8? On other Win8 machines
also? Is this a problem on UQ's end that will probably get fixed by them?
(You could probably ask #attic on that last one)


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
<#122 (comment)
.


Reply to this email directly or view it on GitHub
#122 (comment).

@sapi
Copy link
Contributor Author

sapi commented Feb 26, 2015

It's malware shipped on certain Lenovo laptops which intercepts and
decrypts all SSL traffic. I was largely being facetious, but that (or
something similar) could legitimately cause certificate errors.

On 26 February 2015 at 20:44, Vincent Kruger [email protected]
wrote:

What is superfish
On 26/02/2015 6:24 pm, "Sean Purdon" [email protected] wrote:

That would be great Michael. We really need to hunt this down!

On Thursday, February 26, 2015, Michael Henderson <
[email protected]>
wrote:

Ill do some testing on my windows 8 machine when I get home and see if
I
can reproduce the error.

-------- Original message --------
From: Jackson Gatenby <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');>
Date:26/02/2015 18:07 (GMT+10:00)
To: CSSE1001/MyPyTutor <[email protected]
javascript:_e(%7B%7D,'cvml','[email protected]');>
Cc:
Subject: Re: [MyPyTutor] SSL Certificate Error on Windows 8 (#122)

(On my phone)

Of those two options, the second one sounds more sensible from a
security
standpoint, but I haven't given consideration to the implementation
cost.

Other questions: is this reproducible? Only Win8? On other Win8
machines
also? Is this a problem on UQ's end that will probably get fixed by
them?
(You could probably ask #attic on that last one)


Reply to this email directly or view it on GitHub.


Reply to this email directly or view it on GitHub
<
#122 (comment)
.


Reply to this email directly or view it on GitHub
<#122 (comment)
.


Reply to this email directly or view it on GitHub
#122 (comment).

@sapi
Copy link
Contributor Author

sapi commented Feb 26, 2015

@hendo-michael Did this end up happening on your machine?

@starsnabove
Copy link

Was doing some reading and apparently Microsoft created a massive ssl stuff up in November 2014 but would have thought they fixed it by now

@mijohen
Copy link
Contributor

mijohen commented Feb 26, 2015

I haven't seen that error but how did you produce the error?

@starsnabove
Copy link

Comment out the try except in the login method in tutolib/gui/app/app.py
On 26/02/2015 9:44 pm, "Michael Henderson" [email protected] wrote:

I haven't seen that error but how did you produce the error?


Reply to this email directly or view it on GitHub
#122 (comment).

@sapi sapi mentioned this issue Feb 28, 2015
Merged
@starsnabove
Copy link

I finally worked out how to get windows update to cooperate on Win8 and thought that might help (I was over 100 updates behind). But so far no luck logging in or even being prompted to log in outside the initial prompt in the terminal

@mijohen
Copy link
Contributor

mijohen commented Mar 2, 2015

@starsnabove Is this to do with windows 8 or 8.1? I am yet to reproduce this on my windows 8.1 machine.

@starsnabove
Copy link

It seems to be a problem somewhere within 8.1 but only I seem to have the
problem so we are ignoring it for now.
On 02/03/2015 8:09 pm, "Michael Henderson" [email protected] wrote:

@starsnabove https://github.com/starsnabove Is this to do with windows
8 or 8.1? I am yet to reproduce this on my windows 8.1 machine.


Reply to this email directly or view it on GitHub
#122 (comment).

@sapi sapi modified the milestones: MyPyTutor 3.1, MyPyTutor 3.0 Mar 5, 2015
@starsnabove
Copy link

This did appear to be a problem on one other persons laptop back in week 1 (Win 7) but is no longer a problem for me. I am now able to log in use MPT without any SSL or other issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug priority: high
Projects
None yet
Milestone
MyPyTutor 3.1
Development

No branches or pull requests
4 participants
@sapi @jgat @starsnabove @mijohen