Bug #2348

pretty print ssl errors

Added by Victor Julien over 3 years ago. Updated over 3 years ago.

Target version:
Affected Versions:


This morning the OISF SSL cert was invalid for a bit due to expiration. It's been fixed now. When it was expired I did get this error:

victor@c2758:~/rules$ /home/victor/dev/suricata-update/bin/suricata-update update-sources
9/12/2017 -- 08:17:28 - <Warning> -- No suricata application binary found on path.
9/12/2017 -- 08:17:28 - <Info> -- Using default Suricata version of 4.0.0
9/12/2017 -- 08:17:28 - <Info> -- Downloading
Traceback (most recent call last):
  File "/home/victor/dev/suricata-update/bin/suricata-update", line 26, in <module>
  File "/home/victor/dev/suricata-update/suricata/update/", line 1362, in main
  File "/home/victor/dev/suricata-update/suricata/update/", line 1139, in _main
    return args.func()
  File "/home/victor/dev/suricata-update/suricata/update/commands/", line 40, in update_sources
    raise Exception("Failed to download index: %s: %s" % (url, err))
Exception: Failed to download index: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

I think there should be a nicer error message here.


Updated by Jason Ish over 3 years ago

Its too bad its a generic Exception rather than a typed one. What do you think should happen here. Fatal error? Or a warning, like you would get if the URL is 404?


Updated by Victor Julien over 3 years ago

Think it depends on the action. 'update-sources' should fail. 'list-sources' invoking 'update-sources' should give a warning about using an outdated index? Similar for rule downloads. Failure to download (ssl err, http 404) should lead to warning about still using outdated cached data. Make sense?


Updated by Jason Ish over 3 years ago

I've cleaned up the main issue here. When update-sources encounters a bad cert it will error out and look like:

14/12/2017 -- 14:36:46 - <Info> -- Found Suricata version 4.1.0-dev at /usr/local/bin/suricata.
14/12/2017 -- 14:36:46 - <Info> -- Downloading https://localhost:8000/index.yaml
14/12/2017 -- 14:36:46 - <Error> -- Failed to download index: https://localhost:8000/index.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>


Updated by Jason Ish over 3 years ago

  • Status changed from New to Closed
  • Target version set to 1.0.0b1

Also available in: Atom PDF