SNOW-1774037: OCSP check fails when execption is not of type RevocationCheckError

[knowhoper]

Python version

3.10.3

Operating system and processor architecture

macOS-14.7-arm64-arm-64bit

Installed packages

asn1crypto==1.5.1
certifi==2024.8.30
cffi==1.17.1
charset-normalizer==3.4.0
cryptography==43.0.3
filelock==3.16.1
idna==3.10
packaging==24.1
platformdirs==4.3.6
pycparser==2.22
PyJWT==2.9.0
pyOpenSSL==24.2.1
pytz==2024.2
requests==2.32.3
sortedcontainers==2.4.0
tomlkit==0.13.2
typing_extensions==4.12.2
urllib3==2.2.3
snowflake-connector-python==3.12.3

What did you do?

OCSP errors fail when the Exception thrown is not of type RevocationCheckError. This is on any invocation of the connector in our infrastructure - currently trying to diagnose why we have OCSP issues.


Fails with error

 File "/opt/pysetup/.venv/lib/python3.10/site-packages/snowflake/connector/ocsp_snowflake.py", line 1147, in verify_fail_open
    if ex_obj.errno is ER_OCSP_RESPONSE_CERT_STATUS_REVOKED:
AttributeError: 'TypeError' object has no attribute 'errno'

### What did you expect to see?

A more concise OCSP error or results from the Snowflake service.

https://github.com/snowflakedb/snowflake-connector-python/blob/main/src/snowflake/connector/ocsp_snowflake.py#L1147

This line fails when the type passed is of type Exception as Exception has no property errno. This is causing issues in our stack due to some OCSP error in our infrastructure we can't diagnose due to the error routine being incorrect in the connector

### Can you set logging to DEBUG and collect the logs?

```bash
import logging
import os

for logger_name in ('snowflake.connector',):
    logger = logging.getLogger(logger_name)
    logger.setLevel(logging.DEBUG)
    ch = logging.StreamHandler()
    ch.setLevel(logging.DEBUG)
    ch.setFormatter(logging.Formatter('%(asctime)s - %(threadName)s %(filename)s:%(lineno)d - %(funcName)s() - %(levelname)s - %(message)s'))
    logger.addHandler(ch)

[sfc-gh-dszmolka]

hi - thanks for raising this issue with us. taking a look. do you think it would be possible to post a full(er) stack of the error thrown? we supposed to raise a RevocationCheckError when the OCSP server is not reachable, so really curious what else is going on here.

edit: re: to diagnose why you're having OCSP errors, this could be helpful:

• run SYSTEM$ALLOWLIST() (or ALLOWLIST_PRIVATELINK() if you're using PL) in your snowflake account, and take note of every OCSP-related endpoint. Note that they indeed do operate on port 80, and they should.
• work with the infra/cloud people to allow connectivity to these endpoints over port 80.
  Nothing user-related or sensitive is going over the wire unencrypted, only information which is already public (certificates and their validity/not validity)

[knowhoper]

Hi @sfc-gh-dszmolka , thank you for the follow up. Yes, we are currently in the process of diagnosing the OCSP issue within our environment, suspect its a timeout due to some missing whitelisting. Errors started appearing with no code changes on our side so assuming something in either our SF tenant or GCP infra has changed. Will report back findings.

Regardless, I suspect the error routine there is incorrect, which is making pin pointing this issue harder.

Thanks again.