Bug 1643454

Summary: Can't disable SSL verification for Python
Product: Red Hat Software Collections Reporter: Alexander Todorov <atodorov>
Component: rh-python36Assignee: Python Maintainers <python-maint>
Status: CLOSED NOTABUG QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: high Docs Contact:
Priority: high    
Version: rh-python36CC: cstratak, torsava
Target Milestone: ---   
Target Release: 3.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-14 17:57:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Todorov 2018-10-26 09:52:34 UTC
Description of problem:

This KB article describes what updates have been released for Python so it can verify HTTPS connections:
https://access.redhat.com/articles/2039753


It also shows a simple test script and env variable/config file to enable/disable HTTPS cert verification. This fails for me.


Version-Release number of selected component (if applicable):
rh-python36-2.0-1.el7.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Create the script from the article:
$ cat ssl-test 
#!/usr/bin/env python

try:   
    import urllib2 #python2
except:
    import urllib.request as urllib2 #python3
import sys

req = urllib2.Request(sys.argv[1], headers={'User-Agent':'Mozilla/5.0'})
urllib2.urlopen(req)
[senko@aero Kiwi]$ cat ssl-test 
#!/usr/bin/env python

try:   
    import urllib2 #python2
except:
    import urllib.request as urllib2 #python3
import sys

req = urllib2.Request(sys.argv[1], headers={'User-Agent':'Mozilla/5.0'})
urllib2.urlopen(req)

2. Disable verification system wide for the python36 software collection:

cat /opt/rh/rh-python36/root/etc/python/cert-verification.cfg
[https]
verify=disable

3. execute the test script
$ scl enable rh-python36 /bin/bash
$ $ PYTHONHTTPSVERIFY=0 python ssl-test https://cdn.redhat.com
Traceback (most recent call last):
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 1318, in do_open
    encode_chunked=req.has_header('Transfer-encoding'))
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1239, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1285, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1234, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1026, in _send_output
    self.send(msg)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 964, in send
    self.connect()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/http/client.py", line 1400, in connect
    server_hostname=server_hostname)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 407, in wrap_socket
    _context=self, _session=session)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 814, in __init__
    self.do_handshake()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 1068, in do_handshake
    self._sslobj.do_handshake()
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "ssl-test", line 10, in <module>
    urllib2.urlopen(req)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 526, in open
    response = self._open(req, data)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 544, in _open
    '_open', req)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 1361, in https_open
    context=self._context, check_hostname=self._check_hostname)
  File "/opt/rh/rh-python36/root/usr/lib64/python3.6/urllib/request.py", line 1320, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:777)>


Actual results:
traceback, failure

Expected results:
According to the KBase article this should work.

Additional info:

Comment 2 Alexander Todorov 2018-10-26 10:14:12 UTC
After update I have the following versions

rpm -qa | grep rh-python
rh-python36-python-pip-9.0.1-2.el7.noarch
rh-python36-python-setuptools-36.5.0-1.el7.noarch
rh-python36-2.0-1.el7.x86_64
rh-python36-python-3.6.3-3.el7.x86_64
rh-python36-python-libs-3.6.3-3.el7.x86_64
rh-python36-python-virtualenv-15.1.0-2.el7.noarch
rh-python36-runtime-2.0-1.el7.x86_64
rh-python36-python-devel-3.6.3-3.el7.x86_64


The problem still persists.

Comment 4 Charalampos Stratakis 2018-11-14 17:57:44 UTC
Hello. This is actually intended and the configuration file is not supported for python 3+

From the KB article: The Python version used in the rh-python34 collection is based on upstream version 3.4.2. However, PEP 476 support was backported to this version and included since its first release via RHEA-2015:1058, released as part of the Red Hat Software Collections 2.0, with certificate verification enabled by default. It does not include any support for PEP 493 and therefore it is not possible to disable verification by default via the cert-verification.cfg

The file was added on python2 for compatibility reasons, but on python3 we do not offer such an option.