Bug 1274186 - python-requests: Skipping SSL verification when connecting via HTTP proxy
python-requests: Skipping SSL verification when connecting via HTTP proxy
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1271867 1274189 1274190
Blocks: 1274188
  Show dependency treegraph
Reported: 2015-10-22 04:32 EDT by Adam Mariš
Modified: 2016-04-26 17:03 EDT (History)
37 users (show)

See Also:
Fixed In Version: python-requests 2.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-30 10:48:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2015-10-22 04:32:37 EDT
A vulnerability in python-request package was reported. python-requests does not perform SSL verification when an external HTTPS server is accessed through an HTTP CONNECT proxy. This enables man-in-the-middle attacks against any requests code running on RHEL 6.6 servers behind a proxy.

Reproducer can be found in original product bug:

Comment 1 Adam Mariš 2015-10-22 04:39:15 EDT
Created python-requests tracking bugs for this issue:

Affects: fedora-all [bug 1274189]
Affects: epel-all [bug 1274190]
Comment 2 Viliam Križan 2015-10-30 10:33:06 EDT
python-requests in version less than 2.0 does not properly tunnel requests via 
proxy. `HTTPConnection` is used to directly talk to an unsecured proxy through 
http protocol, instead of `HTTPSConnection`, even when the requested URL has the 
https protocol included. Therefore, no SSL connection is established between 
client and proxy server. SSL connection and verification is done only between 
a proxy and an endpoint server.

Tunneled proxing using proxy CONNECT method was introduced in python-requests 
version 2.0 [1]. 

Fixing this issue is not trivial and would require rebasing. 

[1] http://docs.python-requests.org/en/latest/community/updates/#id29


Use trusted proxy server.
Comment 3 Viliam Križan 2015-10-30 10:41:35 EDT

This issue did not affect the versions of python-requests as shipped with Red Hat Enterprise Linux 6.7 and 7.

This issue affects the versions of python-requests as shipped with Red Hat Enterprise Linux 6.6. Red Hat Product Security has rated this issue as having Moderate security impact. This issue is not currently planned to be addressed in future updates because it would require an invasive change in the shipped version of python-requests.

Note You need to log in before you can comment on or make changes to this bug.