We recently migrated into a new development platform. We are still setting up some parts for our whole workflow to work without issues. We have this one problem where we need to promote a project into Production but we keep getting an error in the server. Our team is not well versed in IronPython to easily resolve this.
I am editing the script concerned regarding this. The original script is as follows: (Please note that I have edited/removed confidential and unnecessary parts)
def callWebService(URI, setProjectState):
job = jobs[0]
job.AddNote(0, job.CurrentVersion, ('%s.' % (job.Id)))
PARAMETERS='{"id": "%s", "someData": "%s"}' % (job.Id, setProjectState)
from System.Net import WebRequest
request = WebRequest.Create(URI)
request.ContentType = "application/json"
request.Method = "POST"
from System.Text import Encoding
bytes = Encoding.ASCII.GetBytes(PARAMETERS)
request.ContentLength = bytes.Length
reqStream = request.GetRequestStream()
reqStream.Write(bytes, 0, bytes.Length)
reqStream.Close()
response = request.GetResponse()
from System.IO import StreamReader
result = StreamReader(response.GetResponseStream()).ReadToEnd()
print result
return;
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
callWebService('https://somesite.com/needtoposthere', 'Production')
The new platform's support told us that in order to resolve this, we need to bypass the ssl verification part because it is only in this part of our workflow that we are posting data to an HTTPS url since it's production.
I have tried numerous ways such as adding the ff code:
import ssl
try:
_create_unverified_https_context = ssl._create_unverified_context
except AttributeError:
pass
else:
ssl._create_default_https_context = _create_unverified_https_context
Also tried inserting this one as recommended by support:
from System.Net import ServicePointManager
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
and
from System.Net import ServicePointManager
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072
I've also tried using the verify = false of the ssl library but still keeps on getting errors.
For the first solution, the error that I'm getting is the ssl module can't seem to be imported. Logs show the error module named "ssl" cannot be found". I tried declaring the import like this same as the other import declarations: from System.Net import ssl but still gets the same error.
For the second solution, the script can't recognize the SecurityProtocolType even though the ServicePointManager has been imported successfully.
I don't understand why I can't seem to import even Python's built-in libraries (ssl). Please do understand that the script I've posted is the only one that we can tinker since we do not have access to the other scripts at all.
When using .NET's WebRequest you are bypassing all SSL/TLS-infrastructure that might be in standard python and you need to change SSL/TLS settings on the .NET side.
Given that the module ssl was not found it is either not on the module lookup path or not compatible with IronPython (as it might be native).
Warning: The following sample disables all certificate validation and is NOT SUITABLE FOR PRODUCTION Furthermore it restricts the SSL/TLS version to 1.2 only.
from System.Net import ServicePointManager, SecurityProtocolType
ServicePointManager.ServerCertificateValidationCallback = lambda sender, certificate, chain, sslPolicyErrors: True
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
If possible you should avoid fully disabling certificate validation and do at least some kind of thumbprint check which means that you are pinning and allowing only a single, expected, not fully valid development certificate. This could look something like
def certificateCheck(sender, certificate, chain, sslPolicyErrors):
# check for certificate whitelist, specific root certificate etc.
# print certificate
return certificate.Thumbprint == "..."
ServicePointManager.ServerCertificateValidationCallback = certificateCheck