Can't download de421.bsp due to new OpenSSL restriction (Update: Fixed by JPL)
See original GitHub issueI’m reporting this, despite the fact it’s not strictly caused by Skyfield itself, but I’ve encoutered it a few times recently. I’m getting an error when trying to download ds421.bsp, the error looks like this:
OSError: cannot download https://ssd.jpl.nasa.gov/ftp/eph/planets/bsp/de421.bsp because
<urlopen error [SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation
disabled (_ssl.c:1129)>
This appears to be caused by an update to OpenSSL which now blocks websites that have not had the security issue CVE-2009-3555 fix yet. Apparently JPL’s website is such a website. The OpenSSL checkin that’s causing the crash can be found here:
https://github.com/openssl/openssl/commit/72d2670bd21becfa6a64bb03fa55ad82d6d0c0f3
I found a detailed discussion of the issue, and a work around here:
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1963834
Although I applied the fix (at a system level), and it worked, clearly the fix is that JPL needs to update their website, however as this is causing Skyfield to essentially break, I wondered if a work around, perhaps fetching this (and probably other affected files) from another location might be a good fix.
Of course, the best way to fix it would be to get JPL to fix their webserver, but I don’t know how realistic that is, knowing how NASA IT works.
Issue Analytics
- State:
- Created a year ago
- Comments:6 (1 by maintainers)
Top GitHub Comments
I contacted JPL folks about this, and they passed on the issue to their IT. Didn’t sound very convinced a fix would be quick, but it might happen.
I’ve looked into this some more and there is a work around. Here is a modified snippet from iokit.py:
The
ssl_context.options |= 4
enablesOP_LEGACY_SERVER_CONNECT
. Full credit, I found this solution on here:SSL error unsafe legacy renegotiation disabled
I tested the above change, and it fixed the issue on my computer at least.