Sentry-python: ?verify_ssl=0 no op

Created on 3 Apr 2019  路  8Comments  路  Source: getsentry/sentry-python

The old Raven Sentry SDK used to turn off SSL verification when those query params are passed to the DSN. However, it seems that sentry-python doesn't. Is there anyway this can be enabled/integrated?

question

All 8 comments

hi, query parameters are not supported for configuration anymore. You still have the ca_certs kwarg to init with which you can set the ca bundle to something, but we don't allow you to turn off ssl cert verification.

overwrite sentry-python's function

def disable_sentry_ssl_check():
    # disable sni warnings
    import urllib3
    urllib3.disable_warnings()

    def _get_pool_options(self, ca_certs):
        return {
            "num_pools": 2,
            "cert_reqs": "CERT_NONE",
        }

    # disable ssl check
    from sentry_sdk.transport import HttpTransport
    HttpTransport._get_pool_options = _get_pool_options

@ColorFuzzy are you using onprem or SaaS (sentry.io)? We depend on certifi and have a valid SSL cert for sentry.io, so I wonder why this is a problem to some people.

@untitaker Our project's python version is outdated, and our python libraries are also outdated(about 5 years ago), it's a very old project, it's hard to upgrade the python interpreter or the libraries. It's very hard to enable ssl validation with sni. We host sentry in our server.

@untitaker Would you reconsider allowing disabling of SSL verify?

We are inside a corporate firewall, and our sentry server is behind https. We push our internal corporate CA to windows hosts, but Linux hosts don't have the corporate CA installed.

I'd rather not open port 80 on our sentry server, because we use ldap to login to the sentry server. But we don't need verified SSL for error reporting.

I'm left with having to Monkey Patching _get_pool_options otherwise...

(Maybe just making a way for us to have a supported way to set the HttpTransport defaults?)

(Wait ... we can pass our own transport... be right back!)

Here we go -- you can pass this with transport= in init().

class MyHttpTransport(HttpTransport):
    def _get_pool_options(self, ca_certs):
        # Ignore SSL Errors
        options = super()._get_pool_options(ca_certs)
        options['cert_reqs'] = "CERT_NONE"
        return options

My hope is that _get_pool_options doesn't change since I don't think it is an officially documented method.

It seems to me that the solution for you would be to deploy your certs to Linux machines.

It seems to me that the solution for you would be to deploy your certs to Linux machines.

I don't have control over those Linux machines, and the users aren't necessarily sophisticated. Some of those Linux boxes are virtual appliances or even hypervisors that are test systems recently installed from product code and are in a QA environment.

The lack of a certificate would be an issue in of itself that I'd want sentry to report. Chicken and egg.

The whole point of me having sentry in this Python command line tool is for issues to be raised while users are using it on various systems. Sentry is integrated into an internally pip installable package/tool used by various teams within the company.

I guess I don't understand the resistance to allowing SSL verification to be ignored as a supported workflow -- I don't mind writing my own MyHttpTransport, but it would be nice to have some sort of supported upgrade path since I'm currently forced to assume the _get_pool_options function signature will never change.

There are basic security requirements that Sentry has to fulfill as well. A lot of Sentry usages out there would have massive security issues if the kind of data the SDKs send would end up readable by somebody unauthorized.

Also there will always be kinds of issues that Sentry will not be able to detect. Hard downtime, network connectivity issues, etc are generally not what Sentry is used to monitor. I'd say SSL cert issues also fall into this category as "broadly operational concerns".

Your needs are valid, they're just at odds with other concerns. To reiterate the point of my first reply to this issue, in your case it seems entirely possible to bundle your corporate certs with the SDK installation and use the ca_certs option to fix SSL support on those host machines.

Was this page helpful?
0 / 5 - 0 ratings