Skip to main content

How to disable default certificate verification in Python 2.7.9 and above permanently on Mac?

Python from 2.7.9 and above now verifies the SSL certificate prior establishing the connection to server. This might cause problem in few servers which do not support certificate validation yet. In these circumstances the HTTPS connection requests fails due to new changes in python. For more information on the new changes please read more at : https://www.python.org/dev/peps/pep-0476/. This link describes the ways to establish ssl connection without certificate verification. In my case i was not using the httplib modules API directly hence i had to find out a crude approach to disable the SSL certificate  verification. I would not recommend the below change unless it is really required to do it as you might be opening a set of vulnerabilities as specified in this article.  However the below sample code tells you how disable SSL certificate  verification completely on your system. 

1. Open Terminal
2. Open with sudo privileges the following file [ Note: You may be required to disable System Integrity Protection(SIP) on your mac to edit these files if your system is running OS X 10.11 + , Please read my post on How to Disable System Integrity Protection(SIP) ]


    sudo vim /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/httplib.py


Look for following Piece of Code:

class HTTPSConnection(HTTPConnection):
        "This class allows communication via SSL."

        default_port = HTTPS_PORT

        def __init__(self, host, port=None, key_file=None, cert_file=None,
                     strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
                     source_address=None, context=None):
            HTTPConnection.__init__(self, host, port, strict, timeout,
                                    source_address)
            self.key_file = key_file
            self.cert_file = cert_file
            if context is None:
                context = ssl._create_default_https_context()
            if key_file or cert_file:
                context.load_cert_chain(cert_file, key_file)
            self._context = context


Comment the highlighted line and add following line below the commented line.

                context = ssl._create_unverified_context()



Finally the change should be reflected as below:


class HTTPSConnection(HTTPConnection):
        "This class allows communication via SSL."

        default_port = HTTPS_PORT

        def __init__(self, host, port=None, key_file=None, cert_file=None,
                     strict=None, timeout=socket._GLOBAL_DEFAULT_TIMEOUT,
                     source_address=None, context=None):
            HTTPConnection.__init__(self, host, port, strict, timeout,
                                    source_address)
            self.key_file = key_file
            self.cert_file = cert_file
            if context is None:
                #Comment the below line and un-comment the commented line to revert to original state.
                context = ssl._create_unverified_context()
                #context = ssl._create_default_https_context()
            if key_file or cert_file:
                context.load_cert_chain(cert_file, key_file)
            self._context = context




Note: Above change to the python source is not recommended unless required. Proceed with caution. 



Labels:

Comments

Post a Comment

Popular posts from this blog

How to find firmware or boot ROM version in Mac OS X

Firmware and boot ROM version of your mac can be found in two ways. Way 1 : 1. From "Apple" menu , choose "About This Mac" menu item. 2. Click " More Info " to open "System Profiler" application. 3. Under Contents -> Select Hardware Tree item. On the right side panel Under hardware overview section, we can see Boot ROM Version and SMC (Firmware) Version. Way 2 : Run the below command in terminal to get boot ROM version and SMC(firmware) version : $ system_profiler SPHardwareDataType | grep -i "Version" | awk -F ':' '{print $1 $2}'
6 comments
Read more

How to extract signing certificates from macOS binary files

Code signing is a macOS security technology that you use to certify that an app was created by you. Once an app is signed, the system can detect any change to the app—whether the change is introduced accidentally or by malicious code. As Apple Developer site says ( click here for more details  on code signing) : code signing allows the operating system to: Ensure that a piece of code has not been altered since it was signed.  The system can detect even the smallest change, whether it was intentional (by a malicious attacker, for example) or accidental (as when a file gets corrupted). When a code signature is intact, the system can be sure the code is as the signer intended. Identify code as coming from a specific source (a developer or signer).  The code signature includes cryptographic information that unambiguously points to a particular author. Determine whether code is trustworthy for a specific purpose.  Among other things, a developer can use a code signature to s
Post a Comment
Read more

What are the useful nvram settings in macOS ?

The OS X boot arguments are useful for troubleshooting problems with system startup and how the system behaves when running. sudo nvram boot-args="-v" :  This command will set the system to always boot to verbose mode, so we do not need to hold Command + V at system startup. sudo nvram boot-args="-x" :  This will set the system to always boot into Safe Mode. sudo nvram boot-args="-s" :  This command will boot the system into single user mode without needing to hold Command-S at system startup. sudo nvram boot-args="iog=0x0"  :   when you close the display but connect the system to an external monitor and keyboard the system will stay awake. After running this command, when connecting an external monitor, the internal display will be disabled, which can be beneficial in some situations such as those where you are mirroring your desktop but wish to run the external display at a higher resolution than your laptop can run. sudo nvram b
Post a Comment
Read more