On 2015-07-24 12:02, Gary Thomas wrote:
I was trying to run a simple fetch from python using
url =
'https://raw.github.com/Itseez/opencv/master/samples/c/fruits.jpg'
filedata = urllib2.urlopen(url).read()
This failed:
Traceback (most recent call last):
File "./edge.py", line 36, in <module>
filedata = urllib2.urlopen(url).read()
File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 431, in open
response = self._open(req, data)
File "/usr/lib/python2.7/urllib2.py", line 449, in _open
'_open', req)
File "/usr/lib/python2.7/urllib2.py", line 409, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 1240, in https_open
context=self._context)
File "/usr/lib/python2.7/urllib2.py", line 1197, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed (_ssl.c:581)>
I can see that it was looking for some certificates in /usr/lib/ssl/certs
but that directory is missing.
Anyone know what I might be missing (or have misconfigured)?
Thanks
I've found a discussion about this problem on the OpenEmbedded
development list:
http://lists.openembedded.org/pipermail/openembedded-devel/2015-July/102160.html
So the problem that this has uncovered is twofold:
1) Python (and OpenSSL) are not using the certificates that are installed by
the ca-certificates package
OpenSSL expects the certificates in /usr/lib/ssl/certs and ca-certificates
uses /etc/ssl/certs
2) The certificates from ca-certificates are not immediately usable by OpenSSL
since they are not
hashed. This is done by the 'c_rehash' program but has been explicitly
disabled by a patch.
Further exploration implies that this was disabled because not all targets
will have c_rehash
available and since the hashing is expected to be done on the target when
the certificates
are loaded/updated. Finally, c_rehash, may or may not exist in the OpenSSL
packages, depending
on whether or not perl is available on the target (it's a perl script)
How best to solve this? As is, python htts:// support is broken in OE-core, so
I think an
off-the-shelf solution is warranted.
Perhaps the PACKAGECONFIG for openssl should default to supporting perl on the
target, and hence
the c_rehash utility would be available? Certainly the choice of where the
certificates live, etc,
should be standardized.
Maybe the c_rehash can be run at package build time for ca-certificates? This
would make things work,
at least for the real CA certificates.
Ideas?
--
------------------------------------------------------------
Gary Thomas | Consulting for the
MLB Associates | Embedded world
------------------------------------------------------------
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto