This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1271867 - python-requests skips SSL verification through HTTP CONNECT proxy
python-requests skips SSL verification through HTTP CONNECT proxy
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: python-requests (Show other bugs)
x86_64 Linux
unspecified Severity urgent
: rc
: ---
Assigned To: Python Maintainers
BaseOS QE - Apps
: Security
Depends On:
Blocks: 1274186
  Show dependency treegraph
Reported: 2015-10-14 19:06 EDT by David Carlson
Modified: 2016-11-08 11:28 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-30 10:45:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Carlson 2015-10-14 19:06:12 EDT
Description of problem: python-requests does not perform SSL verification when an external HTTPS server is accessed through an HTTP CONNECT proxy.  This enables man-in-the-middle attacks against any requests code running on RHEL 6.6 servers behind a proxy.

Version-Release number of selected component (if applicable):
python-requests 1.1.0 4.el6

How reproducible:
> import requests
> requests.get('https://my.self.signed/', proxies={'https':'http://webproxy:80'})
<Response [404]>

Steps to Reproduce:
1. publish an HTTPS server with a self-signed certificate
2. run any HTTP CONNECT webproxy
3. connect to that HTTPS server from a RHEL 6.6 

Actual results:
The request succeeds to the HTTP layer without checking authenticity, and a request object is returned.  Nope!

Expected results:
raised exception:
SSLError: [Errno 1] _ssl.c:504: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Additional info:
I'm aware this is fixed in later versions (6.7), but the pattern scares the crap out of me (CVE?).
Comment 2 Viliam Križan 2015-10-30 10:45:29 EDT
This issue affects only RHEL 6.6 (6.6.z), which is now in EUS support.

Please see

Note You need to log in before you can comment on or make changes to this bug.