Bug 1024052 - python-urllib3 defaulted to non-existant ca_certs.
Summary: python-urllib3 defaulted to non-existant ca_certs.
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-urllib3
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Ralph Bean
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-28 17:05 UTC by Ralph Bean
Modified: 2013-11-15 18:57 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-11-09 03:28:49 UTC


Attachments (Terms of Use)

Description Ralph Bean 2013-10-28 17:05:09 UTC
This patch for python-httplib3 is incorrect.  The ca-certificates bundle has always been ca-bundle.crt, rather than ca-certificates.crt, in RedHat / Fedora. The patch was made for https://bugzilla.redhat.com/show_bug.cgi?id=855320, and was based on a patch in Ubuntu.

From 1c27fda076e6ef4b82dc1b0b604b920ce6251633 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Wed, 25 Sep 2013 13:21:32 -0400
Subject: [PATCH 1/3] default-ssl-cert-validate

---
 urllib3/connectionpool.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/urllib3/connectionpool.py b/urllib3/connectionpool.py
index 691d4e2..551b6fd 100644
--- a/urllib3/connectionpool.py
+++ b/urllib3/connectionpool.py
@@ -644,8 +644,8 @@ class HTTPSConnectionPool(HTTPConnectionPool):
                  strict=False, timeout=None, maxsize=1,
                  block=False, headers=None,
                  _proxy=None, _proxy_headers=None,
-                 key_file=None, cert_file=None, cert_reqs=None,
-                 ca_certs=None, ssl_version=None,
+                 key_file=None, cert_file=None, cert_reqs=ssl.CERT_REQUIRED,
+                 ca_certs='/etc/ssl/certs/ca-certificates.crt', ssl_version=None,
                  assert_hostname=None, assert_fingerprint=None):

         HTTPConnectionPool.__init__(self, host, port, strict, timeout, maxsize,
--
1.8.3.1

Comment 1 Fedora Update System 2013-10-28 17:43:18 UTC
python-urllib3-1.7-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/python-urllib3-1.7-4.fc20

Comment 2 Fedora Update System 2013-10-28 17:44:13 UTC
python-urllib3-1.7-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/python-urllib3-1.7-4.fc19

Comment 3 Fedora Update System 2013-10-28 17:44:39 UTC
python-urllib3-1.5-7.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/python-urllib3-1.5-7.fc18

Comment 4 Fedora Update System 2013-10-28 17:45:10 UTC
python-urllib3-1.5-7.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/python-urllib3-1.5-7.el6

Comment 5 Ralph Bean 2013-10-28 18:13:56 UTC
Using python-urllib3 directly would result in a traceback:

>>> import urllib3
>>> conn = urllib3.connection_from_url('https://apps.fedoraproject.org')
>>> r1 = conn.request('GET', 'https://apps.fedoraproject.org/')
    Traceback (most recent call last):
      File "testing.py", line 3, in <module>
        r1 = conn.request('GET', 'https://apps.fedoraproject.org/')
      File "/usr/lib/python2.7/site-packages/urllib3/request.py", line 75, in request
        **urlopen_kw)
      File "/usr/lib/python2.7/site-packages/urllib3/request.py", line 88, in request_encode_url
        return self.urlopen(method, url, **urlopen_kw)
      File "/usr/lib/python2.7/site-packages/urllib3/connectionpool.py", line 492, in urlopen
        raise SSLError(e)
    urllib3.exceptions.SSLError: [Errno 185090050] _ssl.c:340: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib




Users of python-requests were not affected by this bug.  python-requests does use python-urllib3's cert validation, but the path is patched correctly in python-requests:  http://pkgs.fedoraproject.org/cgit/python-requests.git/tree/python-requests-system-cert-bundle.patch  The correctly patched path from python-requests overwrites python-urllib3's incorrectly patched path at runtime.

Comment 6 Tomas Hoger 2013-10-28 22:29:49 UTC
Why are these updates in Bodhi type:security?  This does not look like something we classify as security fix, as comment 5 indicates this was fail close (no https connection was possible because of this bug) rather than fail open (https connection without certificate check).

Comment 7 Ralph Bean 2013-10-29 02:10:06 UTC
(In reply to Tomas Hoger from comment #6)
> This does not look like something we classify as security fix, as comment 5
> indicates this was fail close (no https connection was possible because of
> this bug) rather than fail open (https connection without certificate check).

My mistake.

I'll modify the updates to be of type bugfix.

Comment 8 Ralph Bean 2013-10-29 02:11:33 UTC
Hm, well, I was able to edit the f20 and el6 updates, but not f19 and f18.  It looks like the push for them is already underway.

Comment 9 Tomas Hoger 2013-10-29 07:36:12 UTC
That do happen when push is in progress.  They are in testing now, I believe you should be able to edit now before push to stable starts.

Comment 10 Ralph Bean 2013-10-29 15:14:49 UTC
Done.  :)

Comment 11 Tomas Hoger 2013-10-29 15:47:01 UTC
Thank you!

Comment 12 Fedora Update System 2013-10-29 18:05:12 UTC
Package python-urllib3-1.5-7.el6:
* should fix your issue,
* was pushed to the Fedora EPEL 6 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing python-urllib3-1.5-7.el6'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2013-11982/python-urllib3-1.5-7.el6
then log in and leave karma (feedback).

Comment 13 Fedora Update System 2013-11-09 03:28:49 UTC
python-urllib3-1.5-7.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2013-11-09 03:37:09 UTC
python-urllib3-1.7-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2013-11-10 08:08:31 UTC
python-urllib3-1.7-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Fedora Update System 2013-11-15 18:57:29 UTC
python-urllib3-1.5-7.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.