Bug 1024052

Summary:	python-urllib3 defaulted to non-existant ca_certs.
Product:	[Fedora] Fedora	Reporter:	Ralph Bean <rbean>
Component:	python-urllib3	Assignee:	Ralph Bean <rbean>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	a.badger, rbean, thoger
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	python-urllib3-1.5-7.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2013-11-09 03:28:49 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Ralph Bean 2013-10-28 17:05:09 UTC

This patch for python-httplib3 is incorrect.  The ca-certificates bundle has always been ca-bundle.crt, rather than ca-certificates.crt, in RedHat / Fedora. The patch was made for https://bugzilla.redhat.com/show_bug.cgi?id=855320, and was based on a patch in Ubuntu.

From 1c27fda076e6ef4b82dc1b0b604b920ce6251633 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean>
Date: Wed, 25 Sep 2013 13:21:32 -0400
Subject: [PATCH 1/3] default-ssl-cert-validate

---
 urllib3/connectionpool.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/urllib3/connectionpool.py b/urllib3/connectionpool.py
index 691d4e2..551b6fd 100644
--- a/urllib3/connectionpool.py
+++ b/urllib3/connectionpool.py
@@ -644,8 +644,8 @@ class HTTPSConnectionPool(HTTPConnectionPool):
                  strict=False, timeout=None, maxsize=1,
                  block=False, headers=None,
                  _proxy=None, _proxy_headers=None,
-                 key_file=None, cert_file=None, cert_reqs=None,
-                 ca_certs=None, ssl_version=None,
+                 key_file=None, cert_file=None, cert_reqs=ssl.CERT_REQUIRED,
+                 ca_certs='/etc/ssl/certs/ca-certificates.crt', ssl_version=None,
                  assert_hostname=None, assert_fingerprint=None):

         HTTPConnectionPool.__init__(self, host, port, strict, timeout, maxsize,
--
1.8.3.1

Comment 1 Fedora Update System 2013-10-28 17:43:18 UTC

python-urllib3-1.7-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/python-urllib3-1.7-4.fc20

Comment 2 Fedora Update System 2013-10-28 17:44:13 UTC

python-urllib3-1.7-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/python-urllib3-1.7-4.fc19

Comment 3 Fedora Update System 2013-10-28 17:44:39 UTC

python-urllib3-1.5-7.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/python-urllib3-1.5-7.fc18

Comment 4 Fedora Update System 2013-10-28 17:45:10 UTC

python-urllib3-1.5-7.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/python-urllib3-1.5-7.el6

Comment 5 Ralph Bean 2013-10-28 18:13:56 UTC

Using python-urllib3 directly would result in a traceback:

>>> import urllib3
>>> conn = urllib3.connection_from_url('https://apps.fedoraproject.org')
>>> r1 = conn.request('GET', 'https://apps.fedoraproject.org/')
    Traceback (most recent call last):
      File "testing.py", line 3, in <module>
        r1 = conn.request('GET', 'https://apps.fedoraproject.org/')
      File "/usr/lib/python2.7/site-packages/urllib3/request.py", line 75, in request
        **urlopen_kw)
      File "/usr/lib/python2.7/site-packages/urllib3/request.py", line 88, in request_encode_url
        return self.urlopen(method, url, **urlopen_kw)
      File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 492, in urlopen
        raise SSLError(e)
    urllib3.exceptions.SSLError: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib




Users of python-requests were not affected by this bug.  python-requests does use python-urllib3's cert validation, but the path is patched correctly in python-requests:  http://pkgs.fedoraproject.org/cgit/python-requests.git/tree/python-requests-system-cert-bundle.patch  The correctly patched path from python-requests overwrites python-urllib3's incorrectly patched path at runtime.

Comment 6 Tomas Hoger 2013-10-28 22:29:49 UTC

Why are these updates in Bodhi type:security?  This does not look like something we classify as security fix, as comment 5 indicates this was fail close (no https connection was possible because of this bug) rather than fail open (https connection without certificate check).

Comment 7 Ralph Bean 2013-10-29 02:10:06 UTC

(In reply to Tomas Hoger from comment #6)
> This does not look like something we classify as security fix, as comment 5
> indicates this was fail close (no https connection was possible because of
> this bug) rather than fail open (https connection without certificate check).

My mistake.

I'll modify the updates to be of type bugfix.

Comment 8 Ralph Bean 2013-10-29 02:11:33 UTC

Hm, well, I was able to edit the f20 and el6 updates, but not f19 and f18.  It looks like the push for them is already underway.

Comment 9 Tomas Hoger 2013-10-29 07:36:12 UTC

That do happen when push is in progress.  They are in testing now, I believe you should be able to edit now before push to stable starts.

Comment 10 Ralph Bean 2013-10-29 15:14:49 UTC

Done.  :)

Comment 11 Tomas Hoger 2013-10-29 15:47:01 UTC

Thank you!

Comment 12 Fedora Update System 2013-10-29 18:05:12 UTC

Package python-urllib3-1.5-7.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing python-urllib3-1.5-7.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11982/python-urllib3-1.5-7.el6
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2013-11-09 03:28:49 UTC

python-urllib3-1.5-7.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2013-11-09 03:37:09 UTC

python-urllib3-1.7-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2013-11-10 08:08:31 UTC

python-urllib3-1.7-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-11-15 18:57:29 UTC

python-urllib3-1.5-7.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.