Bug #2348
closedpretty print ssl errors
Description
This morning the OISF SSL cert was invalid for a bit due to expiration. It's been fixed now. When it was expired I did get this error:
victor@c2758:~/rules$ /home/victor/dev/suricata-update/bin/suricata-update update-sources
9/12/2017 -- 08:17:28 - <Warning> -- No suricata application binary found on path.
9/12/2017 -- 08:17:28 - <Info> -- Using default Suricata version of 4.0.0
9/12/2017 -- 08:17:28 - <Info> -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
Traceback (most recent call last):
File "/home/victor/dev/suricata-update/bin/suricata-update", line 26, in <module>
sys.exit(main.main())
File "/home/victor/dev/suricata-update/suricata/update/main.py", line 1362, in main
sys.exit(_main())
File "/home/victor/dev/suricata-update/suricata/update/main.py", line 1139, in _main
return args.func()
File "/home/victor/dev/suricata-update/suricata/update/commands/updatesources.py", line 40, in update_sources
raise Exception("Failed to download index: %s: %s" % (url, err))
Exception: Failed to download index: https://www.openinfosecfoundation.org/rules/index.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>
I think there should be a nicer error message here.
Updated by Jason Ish over 6 years ago
Its too bad its a generic Exception rather than a typed one. What do you think should happen here. Fatal error? Or a warning, like you would get if the URL is 404?
Updated by Victor Julien over 6 years ago
Think it depends on the action. 'update-sources' should fail. 'list-sources' invoking 'update-sources' should give a warning about using an outdated index? Similar for rule downloads. Failure to download (ssl err, http 404) should lead to warning about still using outdated cached data. Make sense?
Updated by Jason Ish over 6 years ago
I've cleaned up the main issue here. When update-sources encounters a bad cert it will error out and look like:
14/12/2017 -- 14:36:46 - <Info> -- Found Suricata version 4.1.0-dev at /usr/local/bin/suricata. 14/12/2017 -- 14:36:46 - <Info> -- Downloading https://localhost:8000/index.yaml 14/12/2017 -- 14:36:46 - <Error> -- Failed to download index: https://localhost:8000/index.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Updated by Jason Ish over 6 years ago
- Status changed from New to Closed
- Target version set to 1.0.0b1
Fixed. Merged with https://github.com/OISF/suricata-update/pull/24.
Specific commit: https://github.com/OISF/suricata-update/pull/24/commits/6a6cf55a01c698858a027a9fae7c60341980d71c