Bug 1567862

Summary:	requests should no longer use PyOpenSSL by default
Product:	[Fedora] Fedora	Reporter:	Christian Heimes <cheimes>
Component:	python-requests	Assignee:	Jeremy Cline <jcline>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	28	CC:	aurelien, cstratak, infra-sig, jcline, jeremy
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	python-requests-2.18.4-4.fc28 python-requests-2.18.4-2.fc27	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-04-27 23:05:44 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Christian Heimes 2018-04-16 10:14:14 UTC

Description of problem:
The requests library supports multiple TLS/SSL backends through urllib3, amongst others PyOpenSSL and Python's ssl module. By default, requests overrides urllib3 defaults and attempts to inject PyOpenSSL as preferred implementation.

Upstream prefers PyOpenSSL, because it supports old versions of Python, that lack certain features like SNI or proper hostname verification. PyOpenSSL is no longer necessary in Fedora. The ssl module of Python 2.7.9+ (PEP 466) and 3.6 contain all necessary features for secure TLS/SSL handshake.

The hard dependency on PyOpenSSL and forceful injection in requests/__init__.py has multiple disadvantages:

* Fedora requests RPM pulls in several additional packages that are not strictly required: PyOpenSSL, python-cryptography, python-asn1crypto, python-cffi

* PyOpenSSL uses libffi's closures for some callbacks. The callbacks are not compatible with SELinux's execmem rules, because they require dynamic code creation with writeable, executable memory pages. libffi has a workaround, but the workaround is not fork-safe. For example, I had to add a workaround to FreeIPA to prevent SELinux violations from PyOpenSSL.

* PyOpenSSL is a bit slower than ssl module. Performance used to be even worse.

Version-Release number of selected component (if applicable):
all

How reproducible:
always

Fix:
* Remove package requirements from spec file
* Remove https://github.com/requests/requests/blob/master/requests/__init__.py#L93-L102

Comment 1 Jeremy Cline 2018-04-16 15:29:45 UTC

Hi Christian,

python-urllib3 is the package that has the hard dependency on PyOpenSSL so I've dropped it in version 1.22-7.fc29. python-requests-2.18.4-4.fc29 has the injection patched out. I'll file bodhi updates on F28 and F27 for both as soon as the builds finish.

Comment 2 Fedora Update System 2018-04-16 15:52:54 UTC

python-urllib3-1.22-7.fc28 python-requests-2.18.4-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b

Comment 3 Fedora Update System 2018-04-16 15:54:18 UTC

python-urllib3-1.22-5.fc27 python-requests-2.18.4-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ae2c9dd927

Comment 4 Fedora Update System 2018-04-17 03:05:09 UTC

python-requests-2.18.4-4.fc28, python-urllib3-1.22-7.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b

Comment 5 Christian Heimes 2018-04-17 04:39:24 UTC

Wow, you are fast. Thanks a lot!

You can also remove python[23]-cryptography and python[23]-idna from python-urllib. The packages are only imported by urllib3.contrib.pyopenssl.py.

Comment 6 Fedora Update System 2018-04-18 03:00:21 UTC

python-requests-2.18.4-2.fc27, python-urllib3-1.22-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ae2c9dd927

Comment 7 Fedora Update System 2018-04-18 16:56:04 UTC

python-requests-2.18.4-4.fc28 python-urllib3-1.22-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b

Comment 8 Jeremy Cline 2018-04-18 16:58:22 UTC

python[23]-cryptography and python[23]-idna requirements have been dropped from python-urllib3 in python-urllib3-1.22-8. Thanks!

Comment 9 Fedora Update System 2018-04-19 08:53:23 UTC

python-requests-2.18.4-4.fc28, python-urllib3-1.22-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b

Comment 10 Fedora Update System 2018-04-27 23:05:44 UTC

python-requests-2.18.4-4.fc28, python-urllib3-1.22-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2018-04-27 23:38:14 UTC

python-requests-2.18.4-2.fc27, python-urllib3-1.22-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.