Project

General

Profile

Bug #2348

pretty print ssl errors

Added by Victor Julien over 3 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

This morning the OISF SSL cert was invalid for a bit due to expiration. It's been fixed now. When it was expired I did get this error:

victor@c2758:~/rules$ /home/victor/dev/suricata-update/bin/suricata-update update-sources
9/12/2017 -- 08:17:28 - <Warning> -- No suricata application binary found on path.
9/12/2017 -- 08:17:28 - <Info> -- Using default Suricata version of 4.0.0
9/12/2017 -- 08:17:28 - <Info> -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
Traceback (most recent call last):
  File "/home/victor/dev/suricata-update/bin/suricata-update", line 26, in <module>
    sys.exit(main.main())
  File "/home/victor/dev/suricata-update/suricata/update/main.py", line 1362, in main
    sys.exit(_main())
  File "/home/victor/dev/suricata-update/suricata/update/main.py", line 1139, in _main
    return args.func()
  File "/home/victor/dev/suricata-update/suricata/update/commands/updatesources.py", line 40, in update_sources
    raise Exception("Failed to download index: %s: %s" % (url, err))
Exception: Failed to download index: https://www.openinfosecfoundation.org/rules/index.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

I think there should be a nicer error message here.

#1

Updated by Jason Ish over 3 years ago

Its too bad its a generic Exception rather than a typed one. What do you think should happen here. Fatal error? Or a warning, like you would get if the URL is 404?

#2

Updated by Victor Julien over 3 years ago

Think it depends on the action. 'update-sources' should fail. 'list-sources' invoking 'update-sources' should give a warning about using an outdated index? Similar for rule downloads. Failure to download (ssl err, http 404) should lead to warning about still using outdated cached data. Make sense?

#3

Updated by Jason Ish over 3 years ago

I've cleaned up the main issue here. When update-sources encounters a bad cert it will error out and look like:

14/12/2017 -- 14:36:46 - <Info> -- Found Suricata version 4.1.0-dev at /usr/local/bin/suricata.
14/12/2017 -- 14:36:46 - <Info> -- Downloading https://localhost:8000/index.yaml
14/12/2017 -- 14:36:46 - <Error> -- Failed to download index: https://localhost:8000/index.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

#4

Updated by Jason Ish over 3 years ago

  • Status changed from New to Closed
  • Target version set to 1.0.0b1

Also available in: Atom PDF