Look for custom cert/key, fall back to self-signed (!1067) · Merge requests · Plom / plom

Colin Macdonald requested to merge ssl into dev Sep 25, 2021

look for custom .key .cert on server start
rename plom.key to plom-selfsigned.key to match self-signed cert.
remove the per-call verify=False in favour of a per-session selection
Default to true
- but pop-up a dialog to allow users to ignore cert errors
- [ ]

Env var overrides:

document how to use a sneaker-netted cert: roughly,

export REQUESTS_CA_BUNDLE=/path/to/servers_cert_file.crt
python3 -m plom.client
python3 -m plom.scan
# etc

Avoiding aggravating our developers: if "dev" in plom.__version__ then fallback to no-SSL-verification sans popup dialog (just log a warning).
Do we need to add -k to all command-line tools? This matches curl -k https://... but might require some deeper refactoring (because the command line tools build msgr objects all over the place).
Quick fix: add a PLOM_SSL_NO_VERIFY env var. (I have haven't found an env var-based technique to disable SSL verification at requests or urllib3 level.)

Edited Sep 28, 2021 by Colin Macdonald

Look for custom cert/key, fall back to self-signed