COMMUNITY

SSL for HTTP and Python target on Windows

Hello all,
I’ve noticed a changelog for Haxe Preview 3 stating that SSL support had been added for Python target.

My issue is related to HTTPS calls to API that does not provide certificates (you can try with Steam API).
Here is the standard error regarding such request:

__main__._HxException: SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)')

That is a normal Python behavior since outputted code by Haxe does set the verification mode for the context used for HTTP request as “required”
context.verify_mode = python_lib_Ssl.CERT_REQUIRED
For a reminder default context created by SSL lib in python has
verify_mode set to CERT_NONE. Thus by default Haxe output forces certificate verification.
Since Preview 3 I assume, this has been changed and you can actually use a default context by specifying a python_version >= 3.4. This correctly set verify_mode to CERT_NONE…

But then here’s the error:

  File "C:\Python37\lib\ssl.py", line 412, in wrap_socket
    session=session
  File "C:\Python37\lib\ssl.py", line 810, in _create
    raise ValueError("check_hostname requires server_hostname")
ValueError: check_hostname requires server_hostname

Do you have any idea why such error?

Especially when urllib does work and I was under the impression that it was the library used by the haxe.Http class…

import urllib.request
response = urllib.request.urlopen(
    "https://api.steampowered.com/ISteamNews/GetNewsForApp/v2/?appid=440&count=3"
)
print(response.read())

Is it an issue to be opened on github?

Best regards;

Editing python.net.SslSocket like so:

#if (python_version >= 3.4)
var context = Ssl.create_default_context(Purpose.SERVER_AUTH);

to

#if (python_version >= 3.4)
var context = Ssl.create_default_context(Purpose.SERVER_AUTH);
context. check_hostname = false;

Solve the issue but I’m not sure of they implication related to certificates it might just be a dirty workaround…

Any ideas?

Best regards;