Disable SSL Verification to resolve certificate verification error

[heliosrev]

This pull request addresses the certificate verification error that is occurring when attempting to post to https://XXX.XXX.XXX.XXX/graphql. The error message is as follows:

WARNING | Error posting to https://xxx.xxx.xxx.xxx/graphql: Cannot connect to host xxx.xxx.xxx.xxx:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:992)')]

Changes Made

To resolve this issue, I have temporarily disabled SSL verification. While this is not a permanent solution, it will allow the connection to be established without the certificate verification error. Please note that this is a temporary measure, and a more robust solution for handling SSL certificates should be implemented in the future.

Testing

I have tested the changes in this pull request, and I can confirm that the error no longer occurs, and the connection to https://XXX.XXX.XXX.XXX/graphql is successful.

Review

I kindly request a review of this pull request to ensure that it correctly addresses the certificate verification error. Additionally, I welcome any suggestions for a more permanent solution to handle SSL certificates in a secure manner.

Thank you for your attention to this matter.

[nikitastupin]

Hi @heliosrev,

Thanks for the pull request!

Did you try the -k / --no-ssl option to disable certificate verification?

[Privat33r-dev]

There is an option to handle certification skipping, available here in code in the self.disable_ssl_verify property and with the aforementioned flags in CLI. The option is respected above (in line 47: aiohttp.TCPConnector(verify_ssl=(not self.disable_ssl_verify)))

Currently I am unable to make tests for the invalid SSL/TLS certifications, but the way it's done is deprecated, according to the aiohttp documentation:

verify_ssl (bool) –
perform SSL certificate validation for HTTPS requests (enabled by default). May be disabled to skip validation for sites with invalid certificates.
Deprecated since version 2.3: Pass verify_ssl to ClientSession.get() etc.

If you are still interested in this PR, I'd suggest to make a change that would respect the option, otherwise I plan to make another PR during the next weekend.

[Privat33r-dev]

Deprecated parameter resolved in #106.

Feature is working currently despite deprecation.

Without flag

python -m clairvoyance https://expired.badssl.com/
[TIME]     INFO    | Starting blind introspection on https://expired.badssl.com/...
[TIME]     INFO    | Iteration 1
[TIME]     WARNING | Error posting to https://expired.badssl.com/: Cannot connect to host expired.badssl.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1000)')]

With flag (error is expected)

python -m clairvoyance https://expired.badssl.com/ -k
[TIME]     INFO    | Starting blind introspection on https://expired.badssl.com/...
[TIME]     INFO    | Iteration 1
[TIME]     WARNING | Error posting to https://expired.badssl.com/: Expecting value: line 1 column 1 (char 0)

[nikitastupin]

Closing due to inactivity and because we have the -k / --no-ssl flag. Feel free to reopen if you think it should be merged!