Red Hat Bugzilla – Bug 1274186
python-requests: Skipping SSL verification when connecting via HTTP proxy
Last modified: 2016-04-26 17:03:08 EDT
A vulnerability in python-request package was reported. python-requests does not perform SSL verification when an external HTTPS server is accessed through an HTTP CONNECT proxy. This enables man-in-the-middle attacks against any requests code running on RHEL 6.6 servers behind a proxy.
Reproducer can be found in original product bug:
Created python-requests tracking bugs for this issue:
Affects: fedora-all [bug 1274189]
Affects: epel-all [bug 1274190]
python-requests in version less than 2.0 does not properly tunnel requests via
proxy. `HTTPConnection` is used to directly talk to an unsecured proxy through
http protocol, instead of `HTTPSConnection`, even when the requested URL has the
https protocol included. Therefore, no SSL connection is established between
client and proxy server. SSL connection and verification is done only between
a proxy and an endpoint server.
Tunneled proxing using proxy CONNECT method was introduced in python-requests
version 2.0 .
Fixing this issue is not trivial and would require rebasing.
Use trusted proxy server.
This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 6.7 and 7.
This issue affects the versions of python-requests as shipped with Red Hat Enterprise Linux 6.6. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates because it would require an invasive change in the shipped version of python-requests.