Bug 1319949 - Unencrypted client connections need an explicit set_verify_host in order to work
Summary: Unencrypted client connections need an explicit set_verify_host in order to work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openwsman
Version: 7.3
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Vitezslav Crhonek
QA Contact: Alois Mahdal
URL:
Whiteboard:
Depends On:
Blocks: 1380364 1393870 1400961
TreeView+ depends on / blocked
 
Reported: 2016-03-21 23:01 UTC by Michele Baldessari
Modified: 2017-08-01 19:28 UTC (History)
4 users (show)

Fixed In Version: openwsman-2.3.6-14.el7
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2017-08-01 19:28:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2126 0 normal SHIPPED_LIVE openwsman bug fix update 2017-08-01 18:15:40 UTC

Description Michele Baldessari 2016-03-21 23:01:55 UTC
Description of problem:
Here is a small testcase connecting to AMT via HTTP

1) Not working
#!/usr/bin/python
import pywsman

client = pywsman.Client('192.0.2.99', 16992, '/wsman', 'http', 'admin', 'foo')
options = pywsman.ClientOptions()
doc = client.identify(options)
print(doc.root())

$ ./minimal.py
Traceback (most recent call last):
  File "./minimal.py", line 8, in <module>
    print(doc.root())
AttributeError: 'NoneType' object has no attribute 'root'

2) Working
#!/usr/bin/python
import pywsman

client = pywsman.Client('192.0.2.99', 16992, '/wsman', 'http', 'admin', 'foo')
client.transport().set_verify_host(False)
options = pywsman.ClientOptions()
doc = client.identify(options)
print(doc.root())

$ ./minimal.py
http://schemas.dmtf.org/wbem/wsman/1/wsman.xsdIntel(r)AMT 8.11.0.0.....


Version-Release number of selected component (if applicable):
libwsman1-2.3.6-13.el7.x86_64
openwsman-python-2.3.6-13.el7.x86_64


Additional info:
I raise this bug, only because this seems to be fixed in a later version.
If I take rpms from here http://download.opensuse.org/repositories/Openwsman/CentOS_CentOS-7/x86_64/ and install the following:
libwsman3-2.6.2-170.3        
openwsman-python-2.6.2-170.3 
wsmancli-2.6.0-56.13         

I observe that the test works without needing the set_verify_host(False) call:
$ more minimal.py 
#!/usr/bin/python
import pywsman

client = pywsman.Client('192.0.2.99', 16992, '/wsman', 'http', 'admin', 'foo')
#client.transport().set_verify_host(False)
options = pywsman.ClientOptions()
doc = client.identify(options)
print(doc.root())
[stack@undercloud ~]$ ./minimal.py 
http://schemas.dmtf.org/wbem/wsman/1/wsman.xsdIntel(r)AMT 8.11.0.0....


I will see which specific commit that fixes this, later on. I need this to get
ironic working with AMT boxes

Comment 2 Michele Baldessari 2016-03-21 23:19:12 UTC
With the following single upstream patch, things work as expected again

commit 37f4fc672f2b72debde9bb8b79e4073d40cd4cbc
Author: Klaus Kämpf <kkaempf>
Date:   Thu Jul 11 09:39:11 2013 +0200

    Fix curl_easy_setopt call for CURLOPT_SSL_VERIFYHOST, only values 2 or 0 are accepted

Comment 7 Alois Mahdal 2017-06-03 00:38:57 UTC
The dedicated test is now passing with openwsman-2.3.6-14.el7

Comment 8 errata-xmlrpc 2017-08-01 19:28:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2126


Note You need to log in before you can comment on or make changes to this bug.