Bug 1271867 - python-requests skips SSL verification through HTTP CONNECT proxy
python-requests skips SSL verification through HTTP CONNECT proxy
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: python-requests (Show other bugs)
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Python Maintainers
BaseOS QE - Apps
: Security
Depends On:
Blocks: 1274186
  Show dependency treegraph
Reported: 2015-10-14 19:06 EDT by David Carlson
Modified: 2016-11-08 11:28 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-30 10:45:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Carlson 2015-10-14 19:06:12 EDT
Description of problem: python-requests does not perform SSL verification when an external HTTPS server is accessed through an HTTP CONNECT proxy.  This enables man-in-the-middle attacks against any requests code running on RHEL 6.6 servers behind a proxy.

Version-Release number of selected component (if applicable):
python-requests 1.1.0 4.el6

How reproducible:
> import requests
> requests.get('https://my.self.signed/', proxies={'https':'http://webproxy:80'})
<Response [404]>

Steps to Reproduce:
1. publish an HTTPS server with a self-signed certificate
2. run any HTTP CONNECT webproxy
3. connect to that HTTPS server from a RHEL 6.6 

Actual results:
The request succeeds to the HTTP layer without checking authenticity, and a request object is returned.  Nope!

Expected results:
raised exception:
SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Additional info:
I'm aware this is fixed in later versions (6.7), but the pattern scares the crap out of me (CVE?).
Comment 2 Viliam Križan 2015-10-30 10:45:29 EDT
This issue affects only RHEL 6.6 (6.6.z), which is now in EUS support.

Please see https://bugzilla.redhat.com/show_bug.cgi?id=1274186#c2

Note You need to log in before you can comment on or make changes to this bug.