Upstream: https://github.com/eventlet/eventlet/issues/226 In python-evenlet 0.17.3 and the backports.ssl-match-hostname 3.4.0.2 combination that ships with the nightly RHEL 7.2 builds we cannot use SSL validation without the error: ValueError: empty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIRED This doesn't require eventlet to actually be used it just needs to be installed on the machine. This was fixed in eventlet 0.17.4 and the reason openstack bumped to this version: https://github.com/openstack/requirements/commit/db78d5e0e801ae217ba5a4f0a35b550653d864d5 However this is not specifically an openstack issue it will be a problem with using requests in general and we need to ensure that at least 0.17.4 is shipping with rhel 7.2
Was a little fast with that - of course you need to import eventlet otherwise it's ignored, you just don't need to actually make use of eventlet just have it imported. This is specifically an issue with openstackclient because it imports glanceclient which imports eventlet and screws it up for everyone. Assumedly glance cli is affected as well.
Note i consider this really important to fix because without it we can't use openstackclient against an SSL endpoint. Any word?
Will look at getting this patch in this week, is this desired for OSP 7?
Looks like a simple rebase to upstream 0.7.14 will address this issue
Verified 0.7.14 only has this one bug fix in it from 0.7.13 and fedora/master has 0.7.14 package already in dist-git. Looking for PM ACK and QA ACK for this bug. It prevents openstackclient from connecting to SSL endpoints
We can test this using openstackclient against a SSL certificate, but the easiest way is in a script: #!/bin/env python import eventlet import requests print requests.get('https://www.redhat.com').status_code Under eventlet 0.17.3 i get: (test2)[cloud-user@openstack ~]$ python eventlet-test.py /home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning Traceback (most recent call last): File "eventlet-test.py", line 4, in <module> print requests.get('https://www.redhat.com').status_code File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/api.py", line 69, in get return request('get', url, params=params, **kwargs) File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/api.py", line 50, in request response = session.request(method=method, url=url, **kwargs) File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/sessions.py", line 465, in request resp = self.send(prep, **send_kwargs) File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/sessions.py", line 573, in send r = adapter.send(request, **kwargs) File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/adapters.py", line 370, in send timeout=timeout File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 544, in urlopen body=body, headers=headers) File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 341, in _make_request self._validate_conn(conn) File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py", line 761, in _validate_conn conn.connect() File "/home/cloud-user/.virtualenvs/test2/lib/python2.7/site-packages/requests/packages/urllib3/connection.py", line 253, in connect match_hostname(cert, self.assert_hostname or hostname) File "/usr/lib64/python2.7/ssl.py", line 245, in match_hostname raise ValueError("empty or no certificate, match_hostname needs a " ValueError: empty or no certificate, match_hostname needs a SSL socket or SSL context with either CERT_OPTIONAL or CERT_REQUIRED under 0.17.4 i get: 200
Created attachment 1064127 [details] Test file for eventlet issue
restoring rhos-flags
Note that there is a 0.17.4 build for rawhide already[1] which we can probably reuse. [1] http://koji.fedoraproject.org/koji/packageinfo?packageID=10242
Verified: Environment: python-eventlet-0.17.4-1.el7ost.noarch Based on comment #9 here's the output[2] from running the lines[1]. 1. #!/bin/env python import eventlet import requests print requests.get('https://www.redhat.com').status_code 2. /usr/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning 200 The BZ for the warning above is #1242675
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2015:1721