How to capture python https traffic in fiddler? - python

Python throws in errors when ever I try to do some data fetching task.
This only happens when I set fiddler to decrypt https traffic.
I have tried routing python traffic through 127.0.0.1:8888 and same with mozilla inorder to catch its traffic.
I also installed the certificate and trusted it via fiddler, I am not sure where I am going wrong.
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='google.com', port=443):
Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFIC
ATE_VERIFY_FAILED] certificate verify failed (_ssl.c:748)'),))
This above is the error I get whenever I try to fetch a page with requests.

TL;DR The requests library does not use the windows certificate store, it has it's own one (as per https://bugs.python.org/issue28547). This means that your fiddler MITM certificate is not available to python requests by default.
Your options are
Disable SSL verification (verify=False)
Add your cert via the REQUESTS_CA_BUNDLE environment variable
Add your fiddler cert explicitly (verify='\path\to\cert')
More details can be found at http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification
On a side note, it does feel a little strange for requests to be using it's own cert bundle, rather than the platform supplied one - especially given all the browsers are happy to use the platform ones.

As pointed out by polhemic and Eric Aronesty, for testing purposes, you can set temporarily "CURL_CA_BUNDLE" to an empty string.
import os
os.environ['CURL_CA_BUNDLE'] = ''

Related

Python Integration the Payment System of Bank

I am trying to integrate the Bank's payment system on my Django-based website. As it said in documentation, I need to send parameters to their server (and then the new window should appear and the client should fill his card credentials there).
Documentation (part 1):
Documentation (part 2):
Documentation (part 3):
I am new in integration such services (payment) and need some help or broad explanation what to do, why do to that, and how.
Additionally, I was pretty sure that the following code wouldn't work fine but why.
import requests
def send_request():
url = 'https://ecomm.pashabank.az:18443/ecomm2/MerchantHandler/?command=v&amount=5&currency=932&client_ip_addr=167.184.1.132&msg_type=SMS'
response = requests.post(url)
print(response)
send_request()
causes
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='ecomm.pashabank.az', port=18443): Max retries exceeded with url: /ecomm2/MerchantHandler/?command=v&amount=5&currency=932&client_ip_addr=167.172.184.123&msg_type=SMS (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1123)')))
Overall, I need help of everything happening behind the scenes. Huge thanks in advance guys!
Note: I have also received some certifications from bank (I assume to assure the connection safety). But how I use it and when?

Flair English sentiment model download

I'm trying to download the en-sentiment model using the following code:
clf = TextClassifier.load('en-sentiment')
but I'm getting the following SSL error:
SSLError: HTTPSConnectionPool(host='nlp.informatik.hu-berlin.de', port=443): Max retries exceeded with url: /resources/models/sentiment-curated-distilbert/sentiment-en-mix-distillbert_4.pt (Caused by SSLError(SSLError(1, '[SSL] unknown error (_ssl.c:1129)')))
I understand this is an issue with my firewall but I can't seem to get around it. I've tried installing openssl in my virtual env but this isn't working. I understand you can download the model manually but I can't find where to download them from.
Any help would be appreciated.
Max retries exceeded with url says it all. Are you sure you can ping the address: nlp.informatik.hu-berlin.de?
Are you sure you can access the resource with web browser?
https://nlp.informatik.hu-berlin.de/resources/models/sentiment-curated-distilbert/sentiment-en-mix-distillbert_4.pt
Please check if you are behind a proxy or firewall and if the certificate of the page is valid. Once you can access with web browser, you are going to be able to run your code.

Unable to Complete SSL Connection with Certificate and Python Request

i'm having this problem for days now, and can't figure out what exactly is wrong. I'm trying to connect to a server that requires authentication with digital certificates, and have done this before with the requests library in the following manner:
cert = (f'/path/to/cert.crt', f'/path/to/cert.open.key')
response = requests.get(url_server,cert=cert,headers=headers,proxies=proxies)
At first, i received the following error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'. I imagined it had something to do with the server certificate, because i have used the same client certificate to log in other sites before. For testing purposes, i made the call with verify=False in order to ignore any problems with the server certificate, and got this:
SSLError(1, '[SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:852)'),))
I tried to point the verify to a folder with the cert chain files (root and intermediate), and also to the certBundle file when the previous didn´t work, as documented in https://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification, but to no avail. I'm lacking knowledge about the minutia of the handshake process and therefore can´t think in any new way to debug this issue. Any help would be deeply appreciated.
I figured it out. The client certificate was lacking the certificate chain (for the client). Using Wireshark i intercepted the packages and compared what the browser was sending with the packages requests was sending. This allowed me to see that the browser automatically inserts the client certificate chain to the certificate, while requests doesn't.

Pulling Mimecast Logs with Python

I am hoping someone has gone through this and hopefully has a working Python script. I have been trying to pull MTA logs from Mimecast. So far, I have tried the
codes from the below websites:
https://www.mimecast.com/tech-connect/documentation/endpoint-reference/logs-and-statistics/get-siem-logs/
https://github.com/JoshuaSmeda/mimecast_log_collector
https://github.com/bsdkid/mimecast-api-class/blob/master/get-TTP.py
The error I get is
SSLError: HTTPSConnectionPool(host='api.mimecast.com', port=443): Max retries exceeded with url: /api/login/discover-authentication (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)'),))
I also have all the necessary credentials, such as user(account), password, app_id, app_key, access_key, and secret_key. Unfortunately, nothing has worked for me.
Any help is much appreciated.
Thanks
You probably got some sort of SSL inspection happening in your environment.
Have you tried testing on a another test instance perhaps where there is no transparent proxy filtering internet traffic.
You can also try using the SSL verify argument (set to false) for the API request to ignore the cert validation issue.
Arg:
verify=False
Example based on https://github.com/JoshuaSmeda/mimecast_log_collector:
try:
r = requests.post(url='https://api.mimecast.com/api/login/discover-authentication', data=json.dumps(post_body), headers=headers, verify=False)
If it works for the discovery - then add the verify argument to each post. Keep in mind the risks of doing this because you open yourself up to MITM attacks as an example. The risks of HTTP would apply.
Documentation on requests can be found here:
https://buildmedia.readthedocs.org/media/pdf/requests/latest/requests.pdf
Hope this helps.

python - getting SSL error when trying to scrape a webpage

I'm trying to scrape this webpage using Python:
https://fftoolbox.scoutfantasysports.com/football/rankings/PrintVersion.php
I've been using the requests package. I can "solve" the issue by setting verify=False, however I've read that that's not secure. In other threads, people said to point the requests.get() function to the filepath of the relevant certificate. I exported the certificate from my browser, and then tried that, but with no luck. This
requests.get('https://fftoolbox.scoutfantasysports.com/football/rankings/PrintVersion.php',verify='C:/Users/ericb/Desktop/fftoolboxscoutfantasysportscom.crt')
gives the SSL error still
SSLError: HTTPSConnectionPool(host='fftoolbox.scoutfantasysports.com', port=443): Max retries exceeded with url: /football/rankings/PrintVersion.php (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))
And this
requests.get('https://fftoolbox.scoutfantasysports.com/football/rankings/PrintVersion.php',cert='C:/Users/ericb/Desktop/fftoolboxscoutfantasysportscom.crt')
yields
Error: [('PEM routines', 'PEM_read_bio', 'no start line'), ('SSL routines', 'SSL_CTX_use_PrivateKey_file', 'PEM lib')]
I've done a decent amount of webscraping before, but I've never had to deal with certificates until now. How can I get around this? I should also note that I'd like to put my final Python script and any files it uses onto a public GitHub repo. But I don't want do do anything that would jeopardize my security, like uploading keys or something.
The server is misconfigured, it does not send the intermediate certificate it needs to send.
See this report: https://www.ssllabs.com/ssltest/analyze.html?d=fftoolbox.scoutfantasysports.com&hideResults=on
Certificates provided 1 (1776 bytes)
Chain issues Incomplete
Or https://sslanalyzer.comodoca.com/?url=fftoolbox.scoutfantasysports.com
Trusted by Microsoft? No (unable to get local issuer certificate) UNTRUSTED
Trusted by Mozilla? No (unable to get local issuer certificate) UNTRUSTED
With openssl s_client -connect fftoolbox.scoutfantasysports.com:443 -showcerts you can see:
Certificate chain
0 s:/OU=Domain Control Validated/CN=fftoolbox.scoutfantasysports.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
And the webserver should be configured to send the /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 intermediary certificate but it does not.
So, you could contact the website and tells them they are misconfigured. You will not be the only one impacted by that, as the second link shows.
Alternatively, you could add the missing certificate locally as fully trusted, but this kind of lowers your security. You can also download the missing certificate (not the one of the website, the intermediary one) locally and add verify=/path/to/certificate in your requests.get call.

Categories