Tech Scribblings » python

Trusting All Certificates In Jython

Brandon — Thu, 07 Oct 2010 20:30:47 +0000

I had a little application I was writing to check some information on a VMware vSphere server. I was sending SSL HTTP requests to the server to get data. Everything was working fine under python. I had one function that needs to use Jython (which is fine because I am running everything under Jython most of the time anyway, Python is just faster to start up for testing). However, when I ran it in Jython I was getting socket.sslerror SSL handshake exceptions. This is known behavior in Jython because by default Java will automatically check the validity of certificates while Python just disregards the SSL certificates.

There are a couple of ways to get around this and they are documented here http://wiki.python.org/jython/NewSocketModule#SSLSupport. However, I didn’t like any of those approaches.

The first option requires messing with your certificate store in the JVM which means all Java processes doing anything will have your certificate added. This may or may not be what you want, but if you go to another machine or use a different JVM you will lose the ability to connect to your SSL host again.

Option 2, creating your own Security Provider looked a little more appealing because I don’t have to worry about importing each certificate and could enable this at runtime. However, it has the drawback of having to be compiled outside of Jython, and has to be put on the class path. Again, this makes it a little less portable (but not too bad). It also has the affect of trusting all certificates for every single SSL connection made, which is good because it matches up to what Python does but what if you want to only trust invalid certificates in certain parts of your code?

I started digging and came up with a way that would let me trust all certificates, be written completely in Jython, and have the ability to dynamically switch between trusting all certificates or not.

# Check if running in Jython
if 'java' in sys.platform:
    from javax.net.ssl import TrustManager, X509TrustManager
    from jarray import array
    from javax.net.ssl import SSLContext
    class TrustAllX509TrustManager(X509TrustManager):
        '''Define a custom TrustManager which will blindly accept all certificates'''
 
            def checkClientTrusted(self, chain, auth):
                pass
 
            def checkServerTrusted(self, chain, auth):
                pass
 
            def getAcceptedIssuers(self):
                return None
    # Create a static reference to an SSLContext which will use
    # our custom TrustManager
    trust_managers = array([TrustAllX509TrustManager()], TrustManager)
    TRUST_ALL_CONTEXT = SSLContext.getInstance("SSL")
    TRUST_ALL_CONTEXT.init(None, trust_managers, None)
    # Keep a static reference to the JVM's default SSLContext for restoring
    # at a later time
    DEFAULT_CONTEXT = SSLContext.getDefault()
 
def trust_all_certificates(f):
    '''Decorator function that will make it so the context of the decorated method
    will run with our TrustManager that accepts all certificates'''
    def wrapped(*args, **kwargs):
        # Only do this if running under Jython
        if 'java' in sys.platform:
            from javax.net.ssl import SSLContext
            SSLContext.setDefault(TRUST_ALL_CONTEXT)
            try:
                res = f(*args, **kwargs)
                return res
            finally:
                SSLContext.setDefault(DEFAULT_CONTEXT)
        else:
            return f(*args, **kwargs)
    return wrapped

Thats it. Now I can do things like:

@trust_all_certificates
def connect_to_untrusted_host(host):
        conn = httplib.HTTPSConnection(host)
        conn.request('GET', '/index.html')
        response = conn.getresponse()

And the connection will succeed. If I have another method that is not decorated then it will automatically verify the certificates validity.

Note that this decorator is not thread safe. Setting the SSLContext default is a global operation, so if another thread is running it could reset the SSLContext to the default before another method tries to make an SSL connection.

You can also use this without the decorator function. Just use the code prior to the decorator and set the SSLContext default wherever you need to.

If you happen to also need to verify the hostname of a certificate, which is the case if you use an HttpsURLConnection, then you will also need to create a HostnameVerifier. You can do this as follows:

from javax.net.ssl import HostnameVerifier, HttpsURLConnection
class AllHostsVerifier(HostnameVerifier):
    def verify(self, urlHostname, session):
        return True
HttpsURLConnection.setDefaultHostnameVerifier(AllHostsVerifier())

Hope that helps. It’s nice to have a pure Jython implementation of this and have it be transportable.

Killing a thread in Python

Brandon — Tue, 06 Jan 2009 16:45:43 +0000

I have been searching for quite a while for information on how to kill a thread in Python and I finally found a great solution. I was just about to implement my own way of doing it but it is not as clean as this way (although killing threads is not clean in the first place).

My thought was to use threading.settrace() and set my own trace function for every thread that is started. That way every thread will have to pass through the trace function in oder to continue executing and it doesn’t matter where in the code it is at or going. In my trace function I was going to add an Event that it would wait on if I want to pause execution of the thread, or check something to make it through an execption to exit out of the thread.

I was in the process of searching for a way to find out if a thread died because of an Exception when I ran across a post here: http://www.dlevel.com/blogs/alex/20

What they have done is added a terminate() method to the Thread class in the threading library. This will throw a SystemExit exception and quitely terminate the thread. Just take the code and paste it into a new module and use that Thread class as opposed to the threading.Thread class.

I agree with what he says about using this. Obviously it is not very safe to do this but in some cases you really need a way to terminate a thread and if you are careful it can work out ok.

Interesting Python Static Attributes

Brandon — Wed, 31 Dec 2008 01:19:42 +0000

So I was playing around with some code in Python today and was curious about static members of a class (I guess that is what you would call it). I wanted to know if I set an attribute at the class level and change it, would all the instances see that change or if each instance is separate.

Here is some code I played with:

>>> class T: ... build_location = None ... def get_location(self): ... return self.build_location ... >>> t = T() >>> print t.get_location() None >>> T.build_location = "hello" >>> print t.get_location() hello >>> t.build_location = "there" >>> print t.get_location() there >>> print T.build_location hello >>> T.build_location = "hello" >>> print t.get_location() there >>>

So, what I did was set an attribute on the class level that everyone can see without an instance of the class. When I create an instance it can see that attribute just like I can from just doing T.build_location. When I change the static variable then the instance sees that change as well (which is what I was hoping for).

Now, the interesting part is that if I use an instance of the class to change the variable, that variable becomes local to that instance as you can see above when I printed the class’s T.build_location. Now I tried to set the class level attribute back to “hello” and that works but now it does not change what the instance sees!

This is not any earth shattering news but I thought it was interesting when I saw it.