braintree calls raise NoCertificate when setdefaulttimeout() has been used. about braintree_python HOT 9 CLOSED

Thanks for the detailed description of what is going wrong. We're looking into reproducing this, and I'll get back to you when I have more information.

In the meantime, does turning off SSL verification by setting braintree.Configuration.use_unsafe_ssl = True stop the error from occurring?

from braintree_python.

Yes, use_unsafe_ssl stops the error, though it does of course introduce a pretty awful security hole.

from braintree_python.

I've successfully reproduced the issue locally.

It looks like pycurl might be able to work for us. I'll look into supporting swapping it in for M2Crypto in the Python client library and keep you posted.

from braintree_python.

Thank you.

A heads-up regarding pycurl: It is not a pure-python library, which means we won't be able to use it when we migrate to Google App Engine. When that time comes (probably in about 4 months) we will need another option. We are preparing our own code for this in two ways:

• We have a generic http/https fetcher interface which currently calls pycurl but could easily call python's standard urllib2 or App Engine's urlfetch service instead, without affecting the rest of our application.
• For third-party libraries that expose a pluggable http fetcher system (e.g. openid) we implement our own fetcher plugin for the library to use.

from braintree_python.

Hi foresto,

Just wanted to give you an update on my progress so far. I've completed the switch from M2Crypto to PycURL in our code base, and so the change should be included in our next release.

Regarding your Google App Engine migration, do you know of a way to verify SSL certificates on that platform? My initial research seems to show that they don't support it [1], but perhaps you know of a workaround?

I'll update this issue again once we've released the new version,

Paul

[1] http://code.google.com/appengine/docs/python/urlfetch/overview.html#Secure_Connections_and_HTTPS

from braintree_python.

Thanks for the good news, Paul. By the way, you'll probably want to pay attention to the NOSIGNAL option when using pycurl, to keep your API safe for use with threaded code. In my own pycurl wrapper, I use setopt( pycurl.NOSIGNAL, 1) when instantiating a Curl object.

App Engine's urlfetch service does not yet verify SSL certificates. It's an open issue in their bug tracker for now, but I don't expect that to last for long. They have been filling in missing pieces every couple of months, paying particular attention to features that enable common classes of application. For example, https on custom domain names was an open issue until recently, and is now on their roadmap for an end-of-year release. App Engine for Business is driving some of this work forward.

In the mean time, we're preparing our application so we can make the switch in production as soon as possible. As long as Braintree's API continues to work on App Engine (it currently does so with use_unsafe_ssl) we can continue using it in our new code. Certificate verification isn't really needed while we're still porting and testing.

from braintree_python.

Thanks for the additional information, foresto. Version 2.6.0 of the client library is now available, which uses PycURL for SSL verification, and should take care of this issue. Let us know if you run into any troubles with SSL verification in the new version.

from braintree_python.

Update: It looks like App Engine release 1.4.2 added server certificate validation. References:

http://code.google.com/p/googleappengine/issues/detail?id=3400#c5

http://code.google.com/appengine/docs/python/urlfetch/overview.html#Secure_Connections_and_HTTPS

from braintree_python.

Thanks for the heads up. We'll take a look and see if we can use an SSL verification strategy that will work with GAE.

from braintree_python.