Feedback

  Suggest improvement

  Edit page

  View page source

HTTPS connection support

This documentation section outlines different options to connect to CrateDB using SSL/TLS.

Table of Contents

Introduction

The CrateDB client is able to connect via HTTPS.

A check against a specific CA certificate can be made by creating the client with the path to the CA certificate file using the keyword argument ca_cert.

Note

By default, SSL server certificates are verified. To disable verification, use the keyword argument verify_ssl_cert. If it is set to False, server certificate validation will be skipped.

All the following examples will connect to a host using a self-signed certificate.

The CrateDB Python driver package offers a HTTP client API object.

>>> from crate.client import http
>>> HttpClient = http.Client

With certificate verification

When using a valid CA certificate, the connection will be successful:

>>> client = HttpClient([crate_host], ca_cert=cacert_valid)
>>> client.server_infos(client._get_server())
('https://localhost:65534', 'test', '0.0.0')

When not providing a ca_cert file, the connection will fail:

>>> client = HttpClient([crate_host])
>>> client.server_infos(crate_host)
Traceback (most recent call last):
...
crate.client.exceptions.ConnectionError: Server not available, ...certificate verify failed...

Also, when providing an invalid ca_cert, an error is raised:

>>> client = HttpClient([crate_host], ca_cert=cacert_invalid)
>>> client.server_infos(crate_host)
Traceback (most recent call last):
...
crate.client.exceptions.ConnectionError: Server not available, ...certificate verify failed...

Without certificate verification

When turning off certificate verification, calling the server will succeed, even when not providing a valid CA certificate:

>>> client = HttpClient([crate_host], verify_ssl_cert=False)
>>> client.server_infos(crate_host)
('https://localhost:65534', 'test', '0.0.0')

Without verification, calling the server will even work when using an invalid ca_cert:

>>> client = HttpClient([crate_host], verify_ssl_cert=False, ca_cert=cacert_invalid)
>>> client.server_infos(crate_host)
('https://localhost:65534', 'test', '0.0.0')

X.509 client certificate

The CrateDB driver also supports client certificates.

The HttpClient constructor takes two keyword arguments: cert_file and key_file. Both should be strings pointing to the path of the client certificate and key file:

>>> client = HttpClient([crate_host], ca_cert=cacert_valid, cert_file=clientcert_valid, key_file=clientcert_valid)
>>> client.server_infos(crate_host)
('https://localhost:65534', 'test', '0.0.0')

When using an invalid client certificate, the connection will fail:

>>> client = HttpClient([crate_host], ca_cert=cacert_valid, cert_file=clientcert_invalid, key_file=clientcert_invalid)
>>> client.server_infos(crate_host)
Traceback (most recent call last):
...
crate.client.exceptions.ConnectionError: Server not available, exception: HTTPSConnectionPool...

The connection will also fail when providing an invalid CA certificate:

>>> client = HttpClient([crate_host], ca_cert=cacert_invalid, cert_file=clientcert_valid, key_file=clientcert_valid)
>>> client.server_infos(crate_host)
Traceback (most recent call last):
...
crate.client.exceptions.ConnectionError: Server not available, exception: HTTPSConnectionPool...

Relaxing minimum SSL version

urrlib3 v2 dropped support for TLS 1.0 and TLS 1.1 by default, see Modern security by default - HTTPS requires TLS 1.2+. If you need to re-enable it, use the ssl_relax_minimum_version flag, which will configure kwargs["ssl_minimum_version"] = ssl.TLSVersion.MINIMUM_SUPPORTED.

>>> client = HttpClient([crate_host], ssl_relax_minimum_version=True, verify_ssl_cert=False)
>>> client.server_infos(crate_host)
('https://localhost:65534', 'test', '0.0.0')