Bug 1842314
Summary: | AddTrust certificate expiration causes Python to fail on connections | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Erinn Looney-Triggs <erinn.looneytriggs> | ||||
Component: | python3 | Assignee: | Python Maintainers <python-maint> | ||||
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.8 | CC: | cheimes, cstratak, pviktori, redhat | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2020-07-15 12:04:19 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Erinn Looney-Triggs
2020-05-31 19:09:26 UTC
Could you please provide package versions of openssl, python-requests, and RHEL 7 version? Created attachment 1694827 [details] trustflag.py demo script I cannot reproduce the problem on RHEL 7.8 with packages python-2.7.5-88.el7.x86_64 openssl-1.0.2k-19.el7.x86_64 python3-3.6.8-13.el7.x86_64 ca-certificates-2019.2.32-76.el7_7.noarch With standard ssl module and builtin urllib / urllib2 Python 2 is failing and Python 3 is passing just fine. The test script also shows that Python 3 has X509_V_FLAG_TRUSTED_FIRST correctly set and Python 2 is missing patch https://github.com/python/cpython/commit/b1ebba5bd569ede9b6f9573d6618fb3a6abddae5 from upstream. The attached test script prints: # python3 trustflag.py 3.6.8 (default, Sep 26 2019, 11:57:09) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] OpenSSL 1.0.2k-fips 26 Jan 2017 Try with default verify flags verify_flags 0x8000 success Try again with X509_V_FLAG_TRUSTED_FIRST verify_flags 0x8000 success # python2 trustflag.py 2.7.5 (default, Sep 26 2019, 13:23:47) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] OpenSSL 1.0.2k-fips 26 Jan 2017 Try with default verify flags verify_flags 0x0L FAILED <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)> Try again with X509_V_FLAG_TRUSTED_FIRST verify_flags 0x8000L success requests on Python 2 is failing for me and there is no requests for Python 3 on RHEL 7. How did you install requests? If you used a virtual environment, then you may have pulled on other dependencies from PyPI like PyOpenSSL and certifi.
# yum install python3-requests
No package python3-requests available.
# rpm -qa python-requests
python-requests-2.6.0-8.el7_7.noarch
# python2
Python 2.7.5 (default, Sep 26 2019, 13:23:47)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://addtrust-chain.demo.sslmate.com")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
return request('get', url, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
response = session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 486, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 598, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
How did you install requests? Closing, feel free to reopen if you can answer. |