[Chicago] Is pypi.python.org really running with a self-signed cert?

Nick Bennett nick271828 at gmail.com
Fri Mar 6 22:19:09 CET 2015 

Behold, mitmproxy is an "interactive SSL-capable man-in-the-middle proxy
for HTTP" built with Python:

http://mitmproxy.org/index.html
https://github.com/mitmproxy/mitmproxy

A video on "mitmproxy - use and abuse of a hackable SSL-capable
man-in-the-middle proxy" - https://www.youtube.com/watch?v=kQ1-0G90lQg

if the SSL cert is self-signed or otherwise invalid and you're downloading
binaries, Danger Will Robinson.

Nick Bennett
github: tothebeat <https://github.com/tothebeat>
224-392-2326

On Fri, Mar 6, 2015 at 2:08 PM, JS Irick <hundredpercentjuice at gmail.com>
wrote:

> Some businesses insert self signed certificates as a "man in the middle"
> attack of sorts.  Go to any https site and see if the cert is real, or
> belonging to your client.
>
> This includes many business that should really know better than teaching
> users to accept invalid certs.
>
> On Fri, Mar 6, 2015 at 1:39 PM, William E. S. Clemens <
> wesclemens at gmail.com> wrote:
>
>> Are you behind a proxy? I was able to curl the file without issue.
>>
>> --
>> William Clemens
>> Phone: 847.485.9455
>> E-mail: wesclemens at gmail.com
>>
>> On Thu, Mar 5, 2015 at 9:58 PM, Adam Bain <bainada.iit at gmail.com> wrote:
>>
>>> Definitely not self-signed, on my browser its signed by DigiCert. SHA256
>>> fingerprint beginning with 9f249e91. Not really sure whats causing your
>>> error, do you maybe need to tell curl about which root certs to trust?
>>>
>>>
>>> On Thu, Mar 5, 2015, 9:16 PM Robare, Phillip (Randstant) <
>>> proba at allstate.com> wrote:
>>>
>>>> I was trying to get my environment set up on a new work computer
>>>> (Cygwin with cygwin's python 2.7 under Windows) so I downloaded and ran
>>>> ez_setup.py.  It errored on a line where it calls curl to download
>>>> setuptools.  I pulled the line out and ran it from the command line without
>>>> the -silent parameter.
>>>>
>>>> $ curl https://pypi.python.org/packages/source/s/setuptools/
>>>> setuptools-12.3.zip
>>>>   % Total    % Received % Xferd  Average Speed   Time    Time     Time
>>>> Current
>>>>                                  Dload  Upload   Total   Spent    Left
>>>> Speed
>>>>   0     0    0     0    0     0      0      0 --:--:-- --:--:--
>>>> --:--:--     0
>>>> curl: (60) SSL certificate problem: unable to get local issuer
>>>> certificate
>>>> More details here: http://curl.haxx.se/docs/sslcerts.html
>>>>
>>>> curl performs SSL certificate verification by default, using a "bundle"
>>>>  of Certificate Authority (CA) public keys (CA certs). If the default
>>>>  bundle file isn't adequate, you can specify an alternate file
>>>>  using the --cacert option.
>>>> If this HTTPS server uses a certificate signed by a CA represented in
>>>>  the bundle, the certificate verification probably failed due to a
>>>>  problem with the certificate (it might be expired, or the name might
>>>>  not match the domain name in the URL).
>>>> If you'd like to turn off curl's verification of the certificate, use
>>>>  the -k (or --insecure) option.
>>>>
>>>> Some weirdness with Cygwin?  So I tried it with insecure mode.
>>>>
>>>> $ curl --insecure https://pypi.python.org/packages/source/s/setuptools/
>>>> setuptools-12.3.zip
>>>>   % Total    % Received % Xferd  Average Speed   Time    Time     Time
>>>> Current
>>>>                                  Dload  Upload   Total   Spent    Left
>>>> Speed
>>>>   0     0    0     0    0     0      0      0 --:--:-- --:--:--
>>>> --:--:--     0
>>>> curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 104
>>>>
>>>> Not much more enlightening.  So I tried wget.
>>>>
>>>> $ wget https://pypi.python.org/packages/source/s/setuptools/
>>>> setuptools-12.3.zip --2015-03-05 16:17:06--  https://pypi.python.org/
>>>> packages/source/s/setuptools/setuptools-12.3.zip
>>>> Resolving pypi.python.org (pypi.python.org)... 23.235.40.223
>>>> Connecting to pypi.python.org (pypi.python.org)|23.235.40.223|:443...
>>>> connected.
>>>> ERROR: The certificate of 'pypi.python.org' is not trusted.
>>>> ERROR: The certificate of 'pypi.python.org' hasn't got a known issuer.
>>>>
>>>> Does anyone else have a problem with pypi's certificate?  Or a
>>>> work-around for getting ez_install to run?
>>>>
>>>> Thanks,
>>>>
>>>> Phil Robare
>>>>
>>>> _______________________________________________
>>>> Chicago mailing list
>>>> Chicago at python.org
>>>> https://mail.python.org/mailman/listinfo/chicago
>>>>
>>>
>>> _______________________________________________
>>> Chicago mailing list
>>> Chicago at python.org
>>> https://mail.python.org/mailman/listinfo/chicago
>>>
>>>
>>
>> _______________________________________________
>> Chicago mailing list
>> Chicago at python.org
>> https://mail.python.org/mailman/listinfo/chicago
>>
>>
>
>
> --
> ====
> JS Irick
> 312-307-8904
> Consultant: truqua.com
> Coach: atlascrossfit.com
> Programmer: juicetux.com
>
> _______________________________________________
> Chicago mailing list
> Chicago at python.org
> https://mail.python.org/mailman/listinfo/chicago
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/chicago/attachments/20150306/c3a50f79/attachment.html>

More information about the Chicago mailing list