Bug 1245028

Summary: ValueError: empty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIRED
Product: Red Hat OpenStack Reporter: Jamie Lennox <jlennox>
Component: python-eventletAssignee: Jon Schlueter <jschluet>
Status: CLOSED ERRATA QA Contact: Alexander Chuzhoy <sasha>
Severity: high Docs Contact:
Priority: high    
Version: 7.0 (Kilo)CC: dnavale, jkulina, jlennox, lhh, nkinder, sclewis, yeylon
Target Milestone: z1Keywords: Rebase, ZStream
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-eventlet-0.17.4-1.el7ost Doc Type: Rebase: Bug Fixes Only
Doc Text:
With this release, python-eventlet is now rebased to version 0.17.4. This version includes an important bug fix, including: * A bug prevented usage of SSL endpoints is now fixed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-09-03 17:37:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Test file for eventlet issue none

Description Jamie Lennox 2015-07-21 04:22:49 UTC 
Upstream: https://github.com/eventlet/eventlet/issues/226

In python-evenlet 0.17.3 and the backports.ssl-match-hostname 3.4.0.2 combination that ships with the nightly RHEL 7.2 builds we cannot use SSL validation without the error: ValueError: empty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIRED

This doesn't require eventlet to actually be used it just needs to be installed on the machine. 

This was fixed in eventlet 0.17.4 and the reason openstack bumped to this version: https://github.com/openstack/requirements/commit/db78d5e0e801ae217ba5a4f0a35b550653d864d5

However this is not specifically an openstack issue it will be a problem with using requests in general and we need to ensure that at least 0.17.4 is shipping with rhel 7.2
Comment 3 Jamie Lennox 2015-07-21 04:32:29 UTC 
Was a little fast with that - of course you need to import eventlet otherwise it's ignored, you just don't need to actually make use of eventlet just have it imported.

This is specifically an issue with openstackclient because it imports glanceclient which imports eventlet and screws it up for everyone. Assumedly glance cli is affected as well.
Comment 4 Jamie Lennox 2015-08-11 02:57:20 UTC 
Note i consider this really important to fix because without it we can't use openstackclient against an SSL endpoint. Any word?
Comment 5 Jon Schlueter 2015-08-11 12:34:06 UTC 
Will look at getting this patch in this week, is this desired for OSP 7?
Comment 6 Jon Schlueter 2015-08-12 13:48:27 UTC 
Looks like a simple rebase to upstream 0.7.14 will address this issue
Comment 7 Jon Schlueter 2015-08-12 13:53:49 UTC 
Verified 0.7.14 only has this one bug fix in it from 0.7.13 and fedora/master has 0.7.14 package already in dist-git.  Looking for PM ACK and QA ACK for this bug.  It prevents openstackclient from connecting to SSL endpoints
Comment 9 Jamie Lennox 2015-08-18 01:43:21 UTC 
We can test this using openstackclient against a SSL certificate, but the easiest way is in a script: 

#!/bin/env python
import eventlet 
import requests

print requests.get('https://www.redhat.com').status_code

Under eventlet 0.17.3 i get: 

(test2)[cloud-user@openstack ~]$ python eventlet-test.py 
/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
  SecurityWarning
Traceback (most recent call last):
  File "eventlet-test.py", line 4, in <module>
    print requests.get('https://www.redhat.com').status_code
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/api.py", line 69, in get
    return request('get', url, params=params, **kwargs)
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/sessions.py", line 465, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/adapters.py", line 370, in send
    timeout=timeout
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen
    body=body, headers=headers)
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 341, in _make_request
    self._validate_conn(conn)
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 761, in _validate_conn
    conn.connect()
  File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 253, in connect
    match_hostname(cert, self.assert_hostname or hostname)
  File "/usr/lib64/python2.7/ssl.py", line 245, in match_hostname
    raise ValueError("empty or no certificate, match_hostname needs a "
ValueError: empty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIRED


under 0.17.4 i get:

200
Comment 10 Jamie Lennox 2015-08-18 01:45:27 UTC 
Created attachment 1064127 [details]
Test file for eventlet issue
Comment 11 Jamie Lennox 2015-08-18 01:46:35 UTC 
restoring rhos-flags
Comment 12 Jamie Lennox 2015-08-19 08:36:02 UTC 
Note that there is a 0.17.4 build for rawhide already[1] which we can probably reuse.

[1] http://koji.fedoraproject.org/koji/packageinfo?packageID=10242
Comment 15 Alexander Chuzhoy 2015-08-24 17:56:30 UTC 
Verified:

Environment:
python-eventlet-0.17.4-1.el7ost.noarch


Based on comment #9


here's the output[2] from running the lines[1].

1.
#!/bin/env python
import eventlet
import requests
print requests.get('https://www.redhat.com').status_code


2.
/usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
200



The BZ for the warning above is #1242675
Comment 17 errata-xmlrpc 2015-09-03 17:37:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2015:1721