Bug 1329382

Summary: urllib3 PoolManager does not pool connections based on SSL configuration
Product: Red Hat Enterprise Linux 6 Reporter: Jeremy Cline <jcline>
Component: python-urllib3Assignee: Charalampos Stratakis <cstratak>
Status: CLOSED ERRATA QA Contact: Jan Houska <jhouska>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.9CC: bkearney, bnater, cstratak, jalberts, pviktori, rbarlow, tlavigne
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 1.10.2-2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1394919 (view as bug list) Environment:
Last Closed: 2017-03-21 09:24:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1356060, 1359256, 1394919    
Attachments:
Description Flags
Test script that demonstrates the bug.
none
Proposed patch
none
Test script that demonstrates the bug. none

Description Jeremy Cline 2016-04-21 19:02:14 UTC 
Created attachment 1149543 [details]
Test script that demonstrates the bug.

Description of problem:
If a user of urllib3 modifies the ``connection_pool_kw`` dictionary on the ``urllib3.poolmanager.PoolManager`` class to change the SSL configuration (client certificate and key, CA certificate bundle, SSL version, and whether or not the server's certificate must be valid), the ``PoolManager`` instance will not consider these new configurations when providing a pooled connection for a request.

This results in existing connections that are not configured as the user expects to be used rather than new connections being created. This causes issues like https://github.com/kennethreitz/requests/issues/2863. 

Version-Release number of selected component (if applicable):
All versions equal to or below urllib3 version 1.15.z


How reproducible:
Easily and reliably reproducible.

Steps to Reproduce:
1. See attached Python script - this script attempts to reconfigure the CA bundle used by urllib3. It deletes the old CA file so that if the PoolManager uses the old one, it gets a "No such file or directory error". Doing `python test_urllib3.py` on a version of urllib3 affected by this bug will produce a traceback. 

Actual results:
Old SSL configurations are used.


Expected results:
New SSL configurations are used.

Additional info:
The patch for this bug has been accepted upstream, but is not yet in a released version: https://github.com/shazow/urllib3/pull/830

This is an issue Satellite 6 suffers from.
Comment 2 Jeremy Cline 2016-04-21 19:41:47 UTC 
Created attachment 1149548 [details]
Proposed patch

I've gone ahead and back-ported the patch from https://github.com/shazow/urllib3/pull/830. The attached patch should apply cleanly to the 1.10.2 tag and all tests pass.
Comment 5 Charalampos Stratakis 2016-09-08 13:23:09 UTC 
Created attachment 1199099 [details]
Test script that demonstrates the bug.

Updated reproducer provided by Jeremy Cline.
Comment 7 Jan Houska 2016-11-15 13:37:03 UTC 
Verified:

OlD: python-urllib3-1.10.2-1.el6.noarch

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running python script :: actually running 'python test_urllib3.py 2>&1 | tee output.log'
/tmp/tmpiWO_yP
/tmp/tmp_NFSej
Traceback (most recent call last):
  File "test_urllib3.py", line 81, in <module>
    request = pool_manager.request('GET', url)
  File "/usr/lib/python2.6/site-packages/urllib3/request.py", line 68, in request
    **urlopen_kw)
  File "/usr/lib/python2.6/site-packages/urllib3/request.py", line 81, in request_encode_url
    return self.urlopen(method, url, **urlopen_kw)
  File "/usr/lib/python2.6/site-packages/urllib3/poolmanager.py", line 161, in urlopen
    response = conn.urlopen(method, u.request_uri, **kw)
  File "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py", line 574, in urlopen
    raise SSLError(e)
urllib3.exceptions.SSLError: [Errno 185090050] _ssl.c:330: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
:: [   FAIL   ] :: Running python script (Expected 0, got 1)
:: [   FAIL   ] :: File 'output.log' should not contain 'Traceback' 
:: [   FAIL   ] :: File 'output.log' should not contain 'request = pool_manager.request('GET', url)' 
:: [   FAIL   ] :: File 'output.log' should not contain 'urllib3.exceptions.SSLError:' 
:: [   FAIL   ] :: File 'output.log' should not contain 'Errno 185090050' 
:: [   FAIL   ] :: File 'output.log' should not contain 'error:0B084002:x509' 
:: [   PASS   ] :: File 'output.log' should not contain '[Errno 2] No such file or directory' 
:: [   FAIL   ] :: File 'output.log' should contain 'No exception raised! Seems things are working.' 
'3857dab8-c768-4815-b986-684d9f38d7cc'
Test result: FAIL

NEW: python-urllib3-1.10.2-3.el6.noarch


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [  BEGIN   ] :: Running python script :: actually running 'python test_urllib3.py 2>&1 | tee output.log'
/tmp/tmpNpwvqz
/tmp/tmpXrXLbM
No exception raised! Seems things are working.
:: [   PASS   ] :: Running python script (Expected 0, got 0)
:: [   PASS   ] :: File 'output.log' should not contain 'Traceback' 
:: [   PASS   ] :: File 'output.log' should not contain 'request = pool_manager.request('GET', url)' 
:: [   PASS   ] :: File 'output.log' should not contain 'urllib3.exceptions.SSLError:' 
:: [   PASS   ] :: File 'output.log' should not contain 'Errno 185090050' 
:: [   PASS   ] :: File 'output.log' should not contain 'error:0B084002:x509' 
:: [   PASS   ] :: File 'output.log' should not contain '[Errno 2] No such file or directory' 
:: [   PASS   ] :: File 'output.log' should contain 'No exception raised! Seems things are working.' 
'28781b7e-7398-4621-9aa2-ffbeb3278a07'
Test result: PASS
Comment 9 errata-xmlrpc 2017-03-21 09:24:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0596.html