On 2015-07-24 12:02, Gary Thomas wrote:
I was trying to run a simple fetch from python using url = 'https://raw.github.com/Itseez/opencv/master/samples/c/fruits.jpg' filedata = urllib2.urlopen(url).read()This failed: Traceback (most recent call last): File "./edge.py", line 36, in <module> filedata = urllib2.urlopen(url).read() File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout) File "/usr/lib/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/usr/lib/python2.7/urllib2.py", line 449, in _open '_open', req) File "/usr/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/usr/lib/python2.7/urllib2.py", line 1240, in https_open context=self._context) File "/usr/lib/python2.7/urllib2.py", line 1197, in do_open raise URLError(err) urllib2.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)> I can see that it was looking for some certificates in /usr/lib/ssl/certs but that directory is missing. Anyone know what I might be missing (or have misconfigured)? Thanks
I've found a discussion about this problem on the OpenEmbedded development list: http://lists.openembedded.org/pipermail/openembedded-devel/2015-July/102160.html So the problem that this has uncovered is twofold: 1) Python (and OpenSSL) are not using the certificates that are installed by the ca-certificates package OpenSSL expects the certificates in /usr/lib/ssl/certs and ca-certificates uses /etc/ssl/certs 2) The certificates from ca-certificates are not immediately usable by OpenSSL since they are not hashed. This is done by the 'c_rehash' program but has been explicitly disabled by a patch. Further exploration implies that this was disabled because not all targets will have c_rehash available and since the hashing is expected to be done on the target when the certificates are loaded/updated. Finally, c_rehash, may or may not exist in the OpenSSL packages, depending on whether or not perl is available on the target (it's a perl script) How best to solve this? As is, python htts:// support is broken in OE-core, so I think an off-the-shelf solution is warranted. Perhaps the PACKAGECONFIG for openssl should default to supporting perl on the target, and hence the c_rehash utility would be available? Certainly the choice of where the certificates live, etc, should be standardized. Maybe the c_rehash can be run at package build time for ca-certificates? This would make things work, at least for the real CA certificates. Ideas? -- ------------------------------------------------------------ Gary Thomas | Consulting for the MLB Associates | Embedded world ------------------------------------------------------------ -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
