Cause:
The version of Python included in RHEL 5 does not support certificate verification. Should the application attempt to use certificate verification - by supplying a CA certificate file - the python-qpid code would attempt to issue an error exception. The exception it attempted to issue was SSLError, which is also not defined by the version of Python in RHEL 5.
Consequence:
Since qpid-python attempted to use an undefined variable - SSLError - the Python interpreter throws an unknown name error (NameError) instead of issuing the warning about certificate validation.
Fix:
The qpid-python code was modified to avoid using the undefined SSLError exception, and instead use a pre-defined socket.error exception for the unsupported certificate verification operation.
Result:
When attempting to use the unsupported certificate validation feature, a proper error exception is thrown.
Description of problem:
The validation of server certificate is not supported on rhel5. There is an appropriate error reported by the client, which is correct:
raise SSLError("This version of Python does not support verification of the peer's certificate.")
But the 'SSLError' class is not known, so the client ends with a NameError:
NameError: global name 'SSLError' is not defined
See additional info for details.
Version-Release number of selected component (if applicable):
python-qpid-0.18-4
How reproducible:
100%
Steps to Reproduce:
1. setup ssl broker
2. connect to the broker using python client, request server certificate validation by supplying ssl_trustfile connection option
3. NameError
Actual results:
NameError on server certificate validation attempt
Expected results:
Appropriate exception is displayed to the user
Additional info:
* qc2_drain.py is a modified version of python drain example that supports connection options
# ~/qc2_drain.py -b amqps://$(hostname):5671 "amq.direct/test" --connection-options "{ssl_certfile:/var/lib/qpidd/qpid_nss_db/client.pem, ssl_trustfile:/var/lib/qpidd/qpid_nss_db/rootca.crt}"
Traceback (most recent call last):
File "/root/qc2_drain.py", line 171, in ?
conn.open()
File "<string>", line 6, in open
File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 261, in open
self.attach()
File "<string>", line 6, in attach
File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 279, in attach
self._ewait(lambda: self._transport_connected and not self._unlinked())
File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 214, in _ewait
self.check_error()
File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 207, in check_error
raise self.error
qpid.messaging.exceptions.InternalError: Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/qpid/messaging/driver.py", line 509, in dispatch
self.connect()
File "/usr/lib/python2.4/site-packages/qpid/messaging/driver.py", line 533, in connect
self._transport = trans(self.connection, host, port)
File "/usr/lib/python2.4/site-packages/qpid/messaging/transports.py", line 79, in __init__
raise SSLError("This version of Python does not support verification of the peer's certificate.")
NameError: global name 'SSLError' is not defined
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
http://rhn.redhat.com/errata/RHBA-2014-0129.html
Description of problem: The validation of server certificate is not supported on rhel5. There is an appropriate error reported by the client, which is correct: raise SSLError("This version of Python does not support verification of the peer's certificate.") But the 'SSLError' class is not known, so the client ends with a NameError: NameError: global name 'SSLError' is not defined See additional info for details. Version-Release number of selected component (if applicable): python-qpid-0.18-4 How reproducible: 100% Steps to Reproduce: 1. setup ssl broker 2. connect to the broker using python client, request server certificate validation by supplying ssl_trustfile connection option 3. NameError Actual results: NameError on server certificate validation attempt Expected results: Appropriate exception is displayed to the user Additional info: * qc2_drain.py is a modified version of python drain example that supports connection options # ~/qc2_drain.py -b amqps://$(hostname):5671 "amq.direct/test" --connection-options "{ssl_certfile:/var/lib/qpidd/qpid_nss_db/client.pem, ssl_trustfile:/var/lib/qpidd/qpid_nss_db/rootca.crt}" Traceback (most recent call last): File "/root/qc2_drain.py", line 171, in ? conn.open() File "<string>", line 6, in open File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 261, in open self.attach() File "<string>", line 6, in attach File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 279, in attach self._ewait(lambda: self._transport_connected and not self._unlinked()) File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 214, in _ewait self.check_error() File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 207, in check_error raise self.error qpid.messaging.exceptions.InternalError: Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/qpid/messaging/driver.py", line 509, in dispatch self.connect() File "/usr/lib/python2.4/site-packages/qpid/messaging/driver.py", line 533, in connect self._transport = trans(self.connection, host, port) File "/usr/lib/python2.4/site-packages/qpid/messaging/transports.py", line 79, in __init__ raise SSLError("This version of Python does not support verification of the peer's certificate.") NameError: global name 'SSLError' is not defined