1319949 – Unencrypted client connections need an explicit set_verify_host in order to work

Bug 1319949 - Unencrypted client connections need an explicit set_verify_host in order to work

Summary: Unencrypted client connections need an explicit set_verify_host in order to work

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openwsman
Sub Component:
Version:	7.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Vitezslav Crhonek
QA Contact:	Alois Mahdal
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1380364 1393870 1400961
TreeView+	depends on / blocked

Reported:	2016-03-21 23:01 UTC by Michele Baldessari
Modified:	2017-08-01 19:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:	openwsman-2.3.6-14.el7
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2017-08-01 19:28:44 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2126	0	normal	SHIPPED_LIVE	openwsman bug fix update	2017-08-01 18:15:40 UTC

Description Michele Baldessari 2016-03-21 23:01:55 UTC

Description of problem:
Here is a small testcase connecting to AMT via HTTP

1) Not working
#!/usr/bin/python
import pywsman

client = pywsman.Client('192.0.2.99', 16992, '/wsman', 'http', 'admin', 'foo')
options = pywsman.ClientOptions()
doc = client.identify(options)
print(doc.root())

$ ./minimal.py
Traceback (most recent call last):
  File "./minimal.py", line 8, in <module>
    print(doc.root())
AttributeError: 'NoneType' object has no attribute 'root'

2) Working
#!/usr/bin/python
import pywsman

client = pywsman.Client('192.0.2.99', 16992, '/wsman', 'http', 'admin', 'foo')
client.transport().set_verify_host(False)
options = pywsman.ClientOptions()
doc = client.identify(options)
print(doc.root())

$ ./minimal.py
http://schemas.dmtf.org/wbem/wsman/1/wsman.xsdIntel(r)AMT 8.11.0.0.....


Version-Release number of selected component (if applicable):
libwsman1-2.3.6-13.el7.x86_64
openwsman-python-2.3.6-13.el7.x86_64


Additional info:
I raise this bug, only because this seems to be fixed in a later version.
If I take rpms from here http://download.opensuse.org/repositories/Openwsman/CentOS_CentOS-7/x86_64/ and install the following:
libwsman3-2.6.2-170.3        
openwsman-python-2.6.2-170.3 
wsmancli-2.6.0-56.13         

I observe that the test works without needing the set_verify_host(False) call:
$ more minimal.py 
#!/usr/bin/python
import pywsman

client = pywsman.Client('192.0.2.99', 16992, '/wsman', 'http', 'admin', 'foo')
#client.transport().set_verify_host(False)
options = pywsman.ClientOptions()
doc = client.identify(options)
print(doc.root())
[stack@undercloud ~]$ ./minimal.py 
http://schemas.dmtf.org/wbem/wsman/1/wsman.xsdIntel(r)AMT 8.11.0.0....


I will see which specific commit that fixes this, later on. I need this to get
ironic working with AMT boxes

Comment 2 Michele Baldessari 2016-03-21 23:19:12 UTC

With the following single upstream patch, things work as expected again

commit 37f4fc672f2b72debde9bb8b79e4073d40cd4cbc
Author: Klaus Kämpf <kkaempf>
Date:   Thu Jul 11 09:39:11 2013 +0200

    Fix curl_easy_setopt call for CURLOPT_SSL_VERIFYHOST, only values 2 or 0 are accepted

Comment 7 Alois Mahdal 2017-06-03 00:38:57 UTC

The dedicated test is now passing with openwsman-2.3.6-14.el7

Comment 8 errata-xmlrpc 2017-08-01 19:28:44 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2126

Note You need to log in before you can comment on or make changes to this bug.