SSL certificate verify failure using django and Mozilla Persona

Question

I'm trying to build a simple web app using Django. I'd like a minimal user model with verification using Mozilla Persona. Using Persona happens without a hitch, until the SSL certificate fails when tossing the authentication (success or failure) back to the Django app.

I know there is a lot on Stack Overflow already about SSL errors, but I haven't turned up anything that works in this case. For example, trying to use verify = False when using the requests package still produces the error.

I was able to replicate the error in a minimal example app using the default settings for a new Django project and following the boilerplate installation for django_browserid. Even if this can be hacked, it might be worth noting in either the django_browserid docs or the Persona documentation if someone knows how to remedy this annoying bug.

I've put this minimal example with instructions on GitHub.com at:

https://github.com/pedmiston/ssl_error

The actual error is, with [blob] substituted in place of the assertion.

Error while verifying assertion [blob] with audience http://localhost:8000.
[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

I'm on OSX Mavericks.

---

Update: I was able to get the minimal example to pass using sigmavirus24's answer, by adding the following to my virtualenv's src/django_browserid/base.py

class RemoteVerifier(object):
    """
    Verifies BrowserID assertions using a remote verification service.

    By default, this uses the Mozilla Persona service for remote verification.
    """
    verification_service_url = 'https://verifier.login.persona.org/verify'
    requests_parameters = {
        'timeout': 5,
        'verify': False,
    }
    # ...

This is great, and it gets the minimal example to pass (and assures me that this isn't really a django_browserid or Persona error?).

However, it does just kind of by-pass the merits of the verification procedure. Now that the error has been localized, any suggestions for how to fix it?

I've been reading that there were some changes in OS X when Mavericks came around, in a switch from open_ssl to Apple's own Secure Transport engine. If this is the cause of the problem I'm having, then it might be worth knowing for others who run into a similar problem when using Mavericks.

Answer 1

Looking at your example app and it's sole dependency it seems your trouble is coming from this line in django_browserid. I'm not familiar with your app or django_browserid but if you can pass verify=False to https://github.com/mozilla/django-browserid/blob/66641335751b869562ba7a554e61ca56bc880257/django_browserid/base.py#L167 this should solve your problems. In other words, if you specify which Verifier you use, then it should do something like

 verifier = RemoteVerifier()
 verifier.requests_parameters['verify'] = False

 # or

 verifier.verify(verify=False)

Of course you didn't show any code where you were doing that so that could be what you meant when you said:

For example, trying to use verify = False when using the requests package still produces the error.

But I can't tell that from the code you have posted.