Red Hat Bugzilla – Bug 1024052
python-urllib3 defaulted to non-existant ca_certs.
Last modified: 2013-11-15 13:57:29 EST
This patch for python-httplib3 is incorrect. The ca-certificates bundle has always been ca-bundle.crt, rather than ca-certificates.crt, in RedHat / Fedora. The patch was made for https://bugzilla.redhat.com/show_bug.cgi?id=855320, and was based on a patch in Ubuntu.
From 1c27fda076e6ef4b82dc1b0b604b920ce6251633 Mon Sep 17 00:00:00 2001
From: Ralph Bean <email@example.com>
Date: Wed, 25 Sep 2013 13:21:32 -0400
Subject: [PATCH 1/3] default-ssl-cert-validate
urllib3/connectionpool.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/urllib3/connectionpool.py b/urllib3/connectionpool.py
index 691d4e2..551b6fd 100644
@@ -644,8 +644,8 @@ class HTTPSConnectionPool(HTTPConnectionPool):
strict=False, timeout=None, maxsize=1,
- key_file=None, cert_file=None, cert_reqs=None,
- ca_certs=None, ssl_version=None,
+ key_file=None, cert_file=None, cert_reqs=ssl.CERT_REQUIRED,
+ ca_certs='/etc/ssl/certs/ca-certificates.crt', ssl_version=None,
HTTPConnectionPool.__init__(self, host, port, strict, timeout, maxsize,
python-urllib3-1.7-4.fc20 has been submitted as an update for Fedora 20.
python-urllib3-1.7-4.fc19 has been submitted as an update for Fedora 19.
python-urllib3-1.5-7.fc18 has been submitted as an update for Fedora 18.
python-urllib3-1.5-7.el6 has been submitted as an update for Fedora EPEL 6.
Using python-urllib3 directly would result in a traceback:
>>> import urllib3
>>> conn = urllib3.connection_from_url('https://apps.fedoraproject.org')
>>> r1 = conn.request('GET', 'https://apps.fedoraproject.org/')
Traceback (most recent call last):
File "testing.py", line 3, in <module>
r1 = conn.request('GET', 'https://apps.fedoraproject.org/')
File "/usr/lib/python2.7/site-packages/urllib3/request.py", line 75, in request
File "/usr/lib/python2.7/site-packages/urllib3/request.py", line 88, in request_encode_url
return self.urlopen(method, url, **urlopen_kw)
File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 492, in urlopen
urllib3.exceptions.SSLError: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib
Users of python-requests were not affected by this bug. python-requests does use python-urllib3's cert validation, but the path is patched correctly in python-requests: http://pkgs.fedoraproject.org/cgit/python-requests.git/tree/python-requests-system-cert-bundle.patch The correctly patched path from python-requests overwrites python-urllib3's incorrectly patched path at runtime.
Why are these updates in Bodhi type:security? This does not look like something we classify as security fix, as comment 5 indicates this was fail close (no https connection was possible because of this bug) rather than fail open (https connection without certificate check).
(In reply to Tomas Hoger from comment #6)
> This does not look like something we classify as security fix, as comment 5
> indicates this was fail close (no https connection was possible because of
> this bug) rather than fail open (https connection without certificate check).
I'll modify the updates to be of type bugfix.
Hm, well, I was able to edit the f20 and el6 updates, but not f19 and f18. It looks like the push for them is already underway.
That do happen when push is in progress. They are in testing now, I believe you should be able to edit now before push to stable starts.
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing python-urllib3-1.5-7.el6'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
python-urllib3-1.5-7.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
python-urllib3-1.7-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
python-urllib3-1.7-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
python-urllib3-1.5-7.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.