CODEWITHSUNDEEP
pythonsslaiohttp
Kiwi
Kiwi

Reputation: 31

Python 3.6 on Windows: Including custom CA file not working

Adding a custom CA using python 3.6 (Anaconda) in Windows 10 is not working. What I did:

Created 2 environment variables:

SSL_CERT_DIR=C:\_Data\Certs <-- This alone should do the trick
SSL_CERT_FILE=C:\_Data\Certs\burp

I'm running Burp on localhost. I've exported the CA cert to c:\_Data\Certs\burp. Tried PEM and DER, both should work.

My program:

import aiohttp
import ssl
import asyncio

async def main():
    session = aiohttp.ClientSession()
    print(ssl.get_default_verify_paths()) # to verify that my environment variable is working
    f = open('C:\\_Data\\Certs\\burp', 'r') # To check I don't have a permission problem
    f.close()
    aiohttp_proxy = 'http://127.0.0.1:8080'
    async with session.get('https://www.whatismyip.com', proxy=aiohttp_proxy) as response:
        print(await response.text())
    await session.close()

if __name__ == "__main__":
    loop = asyncio.get_event_loop()
    loop.run_until_complete(main())

Output:

DefaultVerifyPaths(cafile='C:\\_Data\\Certs\\burp', capath='C:\\_Data\\Certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/local/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/local/ssl/certs')
Traceback (most recent call last):
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 822, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs)
  File "C:\ProgramData\Anaconda3\Lib\asyncio\base_events.py", line 802, in create_connection
    sock, protocol_factory, ssl, server_hostname)
  File "C:\ProgramData\Anaconda3\Lib\asyncio\base_events.py", line 828, in _create_connection_transport
    yield from waiter
  File "C:\ProgramData\Anaconda3\Lib\asyncio\sslproto.py", line 503, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "C:\ProgramData\Anaconda3\Lib\asyncio\sslproto.py", line 201, in feed_ssldata
    self._sslobj.do_handshake()
  File "C:\ProgramData\Anaconda3\Lib\ssl.py", line 683, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "C:/Users/defaultuser/PycharmProjects/testproject/_test/test_cert.py", line 20, in <module>
    loop.run_until_complete(main())
  File "C:\ProgramData\Anaconda3\Lib\asyncio\base_events.py", line 466, in run_until_complete
    return future.result()
  File "C:/Users/defaultuser/PycharmProjects/testproject/_test/test_cert.py", line 14, in main
    async with session.get('https://www.whatismyip.com', proxy=aiohttp_proxy) as response:
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\client.py", line 843, in __aenter__
    self._resp = await self._coro
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\client.py", line 366, in _request
    timeout=timeout
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 445, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 754, in _create_connection
    req, traces, timeout)
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 960, in _create_proxy_connection
    req=req)
  File "C:\Users\defaultuser\PycharmProjects\testproject\venv\lib\site-packages\aiohttp\connector.py", line 827, in _wrap_create_connection
    raise ClientConnectorSSLError(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host www.whatismyip.com:443 ssl:None [[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:749)]
Unclosed client session
client_session: <aiohttp.client.ClientSession object at 0x000001C3E504F278>

Process finished with exit code 1

I've doublechecked the CA file is correct by opening it and verifying it's the same as when pointing a regular browser to my proxy running at localhost and verifying the CA details after accessing an HTTPS website.

Why isn't it working ?

Upvotes: 1

Views: 847

Answers (1)

Kiwi
Kiwi

Reputation: 31

Reinstalled Anaconda, updated Pycharm, regenerated the CA in Burp and rebooted, it now works. Not sure what was the cause.

Upvotes: 1

Related Questions