Bug 2309587

Summary: certificate loading issues in requests 2.32.3 (concurrency, default certs in custom contexts)
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: python-requestsAssignee: Charalampos Stratakis <cstratak>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 41CC: aurelien, cstratak, infra-sig, jeremy, mhroncok, python-packagers-sig, torsava
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-01-15 13:06:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2024-09-04 00:39:59 UTC 
Description of problem:
As reported and discussed upstream at https://github.com/psf/requests/issues/6726 , https://github.com/psf/requests/issues/6730 , and https://github.com/psf/requests/pull/6731 , requests 2.32.x (up to the latest, 2.32.3) has a couple of significant issues with certificate loading. There's a concurrency problem with multiple contexts with different certs, and custom contexts no longer have the system default trust bundle loaded into them (which has always been the case in the past, and which many consumers of requests rely on).

I ran into this via httpie not working - https://github.com/httpie/cli/issues/1583 . I've sent a patch for httpie to explicitly load the default certificates and backported that, so httpie is fixed now. But there could be many other things in Fedora that use custom SSL contexts via requests and are broken by that problem.

If upstream is not able to resolve this by Fedora 41 release, I think we should at least consider downgrading to 2.31.0. This is a decision a lot of projects are making upstream (for their dependency declarations consumed by pip etc) until upstream is able to sort this out; there's a general perception that the security issue 2.32.x fixed was not that serious in most contexts.

Version-Release number of selected component (if applicable):
2.32.3-3.fc41 etc.

How reproducible:
100%

Steps to Reproduce:
with httpie-3.2.2-15.fc41 or lower, try 'http get https://bodhi.fedoraproject.org/releases' (or any https URL).

Actual results:
http: error: SSLError: HTTPSConnectionPool(host='bodhi.fedoraproject.org', port=443): Max retries exceeded with url: (url) (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1020)'))) while doing a GET request to URL: (url)

Expected results:
Successful page retrieval

Additional info:
Comment 1 martin luma 2024-11-21 10:28:09 UTC Comment hidden (spam)
Comment 2 Tomas Orsava 2024-12-04 13:29:54 UTC 
Sorry we didn't get to this before Fedora 41 was released. We didn't get any more reports other than this one, and we're looking closely at the proposed fix upstream, but we're not doing anything yet.
Comment 3 Tomas Orsava 2025-01-15 13:06:34 UTC 
This looks like it's going to be the new upstream behaviour. Since we want to stick close to upstream in Fedora, we're not planning a downstream-only patch (that we would have to likely keep around forever). Closing as UPSTREAM as the issues are tracked there, and if there's a fix it'll get into Fedora.