Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG][FR] Impossible to specify SSL certification #6939

Closed
LucaMingarelli opened this issue Nov 7, 2024 · 7 comments · Fixed by #6976
Closed

[BUG][FR] Impossible to specify SSL certification #6939

LucaMingarelli opened this issue Nov 7, 2024 · 7 comments · Fixed by #6976
Labels
enhancement Enhancement

Comments

@LucaMingarelli
Copy link

What's the problem of not having this feature?
This feature is essential as its lack prevents using openbb at all when SSL certification is required to connect to the network.

Solution
The library should have some way to specify the path to the SSL certificate. When using requests this would be for example set in the verify attribute of the session. Therefore I would see two options:

  • Exposing explicitely the session from request instantiated (e.g. I see it in yfinance/data.py, line 73). This would meen having the session exposed as an attribute for example obb.session, so that its attributes can be modified.
  • Specifying a variable in the .env file which will then picked up when creating a request.Session() in a similar manner to what is done for proxies.
@deeleeramone
Copy link
Contributor

Hi there,

You can install this package, https://pypi.org/project/pip-system-certs/, that will force Python to use the system trust store instead of from the certifi package.

Alternatively, the requests library allows you to define environment variables:

REQUESTS_CA_BUNDLE

@deeleeramone deeleeramone mentioned this issue Nov 29, 2024
Merged
@deeleeramone deeleeramone added the enhancement Enhancement label Dec 1, 2024
@deeleeramone
Copy link
Contributor

deeleeramone commented Dec 1, 2024
edited
Loading

@LucaMingarelli, PR #6976 should resolve the issue and provide a way to define these values across all HTTP requests submitted by OpenBB functions, globally. Please try it out, if you have the opportunity.

@LucaMingarelli
Copy link
Author

The library should have some way to specify the path to the SSL certificate. When using requests this would be for example set in the verify attribute of the session. Therefore I would see two options:

Yes, although this may also interfere with settings from other libraries.

@LucaMingarelli
Copy link
Author

@LucaMingarelli, PR #6976 should resolve the issue and provide a way to define these values across all HTTP requests submitted by OpenBB functions, globally. Please try it out, if you have the opportunity.

This looks great! I'll try to test it asap

@piiq
Copy link
Contributor

piiq commented Dec 5, 2024

@LucaMingarelli hi 👋 thanks for this issue
Can you please give me an example where you would require 2 libraries in the same application/environment require different certificates for the requests library at the same time? I'm just trying to understand the use case here

@LucaMingarelli
Copy link
Author

Hi @piiq

I am not fully sure on the more technical details, but internally at work we have two different data sources: one which requires no certificate is specified, the other requiring a specific certificate. Setting the env variable would mean being able to connect to only one of the two sources. For this reason we pass explicitly the path to certificates when instantiating two different sessions.

I hope it helps!

@deeleeramone
Copy link
Contributor

deeleeramone commented Jan 21, 2025
edited
Loading

Hi, @LucaMingarelli, the proposed solution for this issue has been merged to the develop branch and will be available when the next version is released.

The HTTP and HTTPS connections should be able to live simultaneously in the same environment.

The implementation here does two things:

  • trust_env is disabled in both Requests (yFinance, etc.) and AIOHTTP (most other data sources), environment variables can be supplied, but the system_settings.json will take priority; it will be best to not set environment variables.
    • at the Python-level, importing from openbb_core.provider.utils.helpers import make_request, amake_request, amake_requests will be configured to use with the supplied cert, while import requests will not.
  • the certificate path - cafile key - will be combined with certifi.where() and be made available for the duration of the session.

Additionally, SSL verification can be globally disabled with "verify_ssf": false

Supplying a proxy will automatically disable SSL verification, as is recommended for both Requests and AIOHTTP.

~/.openbb_platform/system_settings.json

{
    "python_settings": {
        "http": {
            "cafile": "/Path/to/ca_file/",
            "password": null,
            "verify_ssl": null,
            "fingerprint": null,
            "proxy": null,
            "proxy_auth": null,
            "proxy_headers": null,
            "timeout": 5,
            "auth": null,
            "headers": null,
            "cookies": null
        },
        "uvicorn": {
            "ssl_certfile": "/path/to/deploy_server_cert",
            "ssl_keyfile": "/path/to/deploy_server_key"
        }
    }
}

Please open a new issue if the implementation fails to meet your requirements, or things do not work as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Feature] Add SSL Certificate Context And Setting For Async/Sync HTTP Requests OpenBB-finance/OpenBB
3 participants
@LucaMingarelli @piiq @deeleeramone