Project

General

Profile

Actions
Copy link

Bug #2348

closed
VJ JI

pretty print ssl errors

Bug #2348: pretty print ssl errors

Added by Victor Julien over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Jason Ish
Target version:
1.0.0b1
Affected Versions:
Effort:
Difficulty:
Label:

Description

This morning the OISF SSL cert was invalid for a bit due to expiration. It's been fixed now. When it was expired I did get this error:

victor@c2758:~/rules$ /home/victor/dev/suricata-update/bin/suricata-update update-sources
9/12/2017 -- 08:17:28 - <Warning> -- No suricata application binary found on path.
9/12/2017 -- 08:17:28 - <Info> -- Using default Suricata version of 4.0.0
9/12/2017 -- 08:17:28 - <Info> -- Downloading https://www.openinfosecfoundation.org/rules/index.yaml
Traceback (most recent call last):
  File "/home/victor/dev/suricata-update/bin/suricata-update", line 26, in <module>
    sys.exit(main.main())
  File "/home/victor/dev/suricata-update/suricata/update/main.py", line 1362, in main
    sys.exit(_main())
  File "/home/victor/dev/suricata-update/suricata/update/main.py", line 1139, in _main
    return args.func()
  File "/home/victor/dev/suricata-update/suricata/update/commands/updatesources.py", line 40, in update_sources
    raise Exception("Failed to download index: %s: %s" % (url, err))
Exception: Failed to download index: https://www.openinfosecfoundation.org/rules/index.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)>

I think there should be a nicer error message here.

JI Updated by Jason Ish over 8 years ago Actions
Copy link
 #1

Its too bad its a generic Exception rather than a typed one. What do you think should happen here. Fatal error? Or a warning, like you would get if the URL is 404?

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #2

Think it depends on the action. 'update-sources' should fail. 'list-sources' invoking 'update-sources' should give a warning about using an outdated index? Similar for rule downloads. Failure to download (ssl err, http 404) should lead to warning about still using outdated cached data. Make sense?

JI Updated by Jason Ish over 8 years ago Actions
Copy link
 #3

I've cleaned up the main issue here. When update-sources encounters a bad cert it will error out and look like:

14/12/2017 -- 14:36:46 - <Info> -- Found Suricata version 4.1.0-dev at /usr/local/bin/suricata.
14/12/2017 -- 14:36:46 - <Info> -- Downloading https://localhost:8000/index.yaml
14/12/2017 -- 14:36:46 - <Error> -- Failed to download index: https://localhost:8000/index.yaml: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

JI Updated by Jason Ish over 8 years ago Actions
Copy link
 #4

  • Status changed from New to Closed
  • Target version set to 1.0.0b1
Actions
Copy link

Also available in: PDF Atom