SSL exception with urllib2

Hi all, on a system with Ignition 7.9.18 I have a script that makes requests to a web service bypassing the SSL validation, the code is basically something like that:

from javax.net.ssl import SSLContext
SSLContext.setDefault(TRUST_ALL_CONTEXT)
try:
	[...]
	request = urllib2.Request(url,headers=header,data=data)
	response = urllib2.urlopen(request)
	responseContent = response.read()
	response.close()
	[...]
finally:
	SSLContext.setDefault(DEFAULT_CONTEXT)

Where TRUST_ALL_CONTEXT is a X509TrustManager that doesn’t makes any certificate check. Then there is a gateway timer that calls the method containing this piece of code.
This code was working like a charm until some days ago, then it started, sometimes, to throw this error:

SSL exception: Differences between the SSL socket behaviour of cpython vs. jython are explained on the wiki

The error is thrown on the urlopen call. Strange thing is that the same exact piece of code is called from another gateway timer, on another web server which (for what I know) should be a mirror of the one that leads to the error.
Does anyone have a clue of what the problem could be?
Many thanks in advance,
Francesco

My only guess is that it has something to do with multi-threading. Do you have multiple of these scripts running by any chance?

Setting, doing your script, and then resetting the global SSLContext like that is not a mutually exclusive action. If anything else is attempting to do something like this at the same time it could interleave and un-set your TRUST_ALL_CONTEXT.

You’d probably be better off using one of the system.net.http* functions and setting the bypassCertValidation parameter.

Yes, the two gateway timers are running in parallel, so in fact it could be the problem. Is there any best practice to handle this? Could I simply define a lock object at module level and simply do acquire/release wrapping the piece of code giving the problem?
Anyway, the strange thing is that those two timers have worked without giving any problem till some days ago, and now only one of the two started throwing the exception.

I will certainly giving a try, but I ended using urllib because of some other kind of problem with the system.net.* functions.

One other thing: separating the two timers in two different projects could make any difference?

Well… best practice would be to not use global state like this. Separating them into different projects will not make a difference.

You’ll have to use some kind of locking mechanism (or somehow ensure mutually exclusive access) and then hope that nothing in the Ignition platform or modules is ever modifying the global state, because it obviously wouldn’t know anything about your lock (I don’t think anything does).

1 Like

Ah, here’s a dirty hack: if it’s okay that both these scripts run at the same interval just combine them into one script instead of having two running in parallel.

Many thanks for the help. When I wrote that piece of code, it was the only option I’ve found to solve the problem of running the urlopen with no ssl validation: I would appreciate if someone can propose me another option :slight_smile: (Ignition 7.9, Jython < 2.7, don’t remember which version exactly)

Unfortunately merging into the same script is not possible, for various reasons not related to the problem.
I will try those things:

  • run the script leaving the default context, to verify that I get the same problem (if I won’t, will it be a guarantee that the problem is not related to a concurrency problem?)
  • use the system.net.httpClient/httpGet, just like you mentioned