Created attachment 1149543 [details] Test script that demonstrates the bug. Description of problem: If a user of urllib3 modifies the ``connection_pool_kw`` dictionary on the ``urllib3.poolmanager.PoolManager`` class to change the SSL configuration (client certificate and key, CA certificate bundle, SSL version, and whether or not the server's certificate must be valid), the ``PoolManager`` instance will not consider these new configurations when providing a pooled connection for a request. This results in existing connections that are not configured as the user expects to be used rather than new connections being created. This causes issues like https://github.com/kennethreitz/requests/issues/2863. Version-Release number of selected component (if applicable): All versions equal to or below urllib3 version 1.15.z How reproducible: Easily and reliably reproducible. Steps to Reproduce: 1. See attached Python script - this script attempts to reconfigure the CA bundle used by urllib3. It deletes the old CA file so that if the PoolManager uses the old one, it gets a "No such file or directory error". Doing `python test_urllib3.py` on a version of urllib3 affected by this bug will produce a traceback. Actual results: Old SSL configurations are used. Expected results: New SSL configurations are used. Additional info: The patch for this bug has been accepted upstream, but is not yet in a released version: https://github.com/shazow/urllib3/pull/830 This is an issue Satellite 6 suffers from.
Created attachment 1149548 [details] Proposed patch I've gone ahead and back-ported the patch from https://github.com/shazow/urllib3/pull/830. The attached patch should apply cleanly to the 1.10.2 tag and all tests pass.
Created attachment 1199099 [details] Test script that demonstrates the bug. Updated reproducer provided by Jeremy Cline.
Verified: OlD: python-urllib3-1.10.2-1.el6.noarch :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ BEGIN ] :: Running python script :: actually running 'python test_urllib3.py 2>&1 | tee output.log' /tmp/tmpiWO_yP /tmp/tmp_NFSej Traceback (most recent call last): File "test_urllib3.py", line 81, in <module> request = pool_manager.request('GET', url) File "/usr/lib/python2.6/site-packages/urllib3/request.py", line 68, in request **urlopen_kw) File "/usr/lib/python2.6/site-packages/urllib3/request.py", line 81, in request_encode_url return self.urlopen(method, url, **urlopen_kw) File "/usr/lib/python2.6/site-packages/urllib3/poolmanager.py", line 161, in urlopen response = conn.urlopen(method, u.request_uri, **kw) File "/usr/lib/python2.6/site-packages/urllib3/connectionpool.py", line 574, in urlopen raise SSLError(e) urllib3.exceptions.SSLError: [Errno 185090050] _ssl.c:330: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib :: [ FAIL ] :: Running python script (Expected 0, got 1) :: [ FAIL ] :: File 'output.log' should not contain 'Traceback' :: [ FAIL ] :: File 'output.log' should not contain 'request = pool_manager.request('GET', url)' :: [ FAIL ] :: File 'output.log' should not contain 'urllib3.exceptions.SSLError:' :: [ FAIL ] :: File 'output.log' should not contain 'Errno 185090050' :: [ FAIL ] :: File 'output.log' should not contain 'error:0B084002:x509' :: [ PASS ] :: File 'output.log' should not contain '[Errno 2] No such file or directory' :: [ FAIL ] :: File 'output.log' should contain 'No exception raised! Seems things are working.' '3857dab8-c768-4815-b986-684d9f38d7cc' Test result: FAIL NEW: python-urllib3-1.10.2-3.el6.noarch :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Test :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ BEGIN ] :: Running python script :: actually running 'python test_urllib3.py 2>&1 | tee output.log' /tmp/tmpNpwvqz /tmp/tmpXrXLbM No exception raised! Seems things are working. :: [ PASS ] :: Running python script (Expected 0, got 0) :: [ PASS ] :: File 'output.log' should not contain 'Traceback' :: [ PASS ] :: File 'output.log' should not contain 'request = pool_manager.request('GET', url)' :: [ PASS ] :: File 'output.log' should not contain 'urllib3.exceptions.SSLError:' :: [ PASS ] :: File 'output.log' should not contain 'Errno 185090050' :: [ PASS ] :: File 'output.log' should not contain 'error:0B084002:x509' :: [ PASS ] :: File 'output.log' should not contain '[Errno 2] No such file or directory' :: [ PASS ] :: File 'output.log' should contain 'No exception raised! Seems things are working.' '28781b7e-7398-4621-9aa2-ffbeb3278a07' Test result: PASS
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0596.html