Bug 1567862 - requests should no longer use PyOpenSSL by default
Summary: requests should no longer use PyOpenSSL by default
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-requests
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jeremy Cline
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-16 10:14 UTC by Christian Heimes
Modified: 2018-04-27 23:38 UTC (History)
5 users (show)

Fixed In Version: python-requests-2.18.4-4.fc28 python-requests-2.18.4-2.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-27 23:05:44 UTC
Type: Bug


Attachments (Terms of Use)

Description Christian Heimes 2018-04-16 10:14:14 UTC
Description of problem:
The requests library supports multiple TLS/SSL backends through urllib3, amongst others PyOpenSSL and Python's ssl module. By default, requests overrides urllib3 defaults and attempts to inject PyOpenSSL as preferred implementation.

Upstream prefers PyOpenSSL, because it supports old versions of Python, that lack certain features like SNI or proper hostname verification. PyOpenSSL is no longer necessary in Fedora. The ssl module of Python 2.7.9+ (PEP 466) and 3.6 contain all necessary features for secure TLS/SSL handshake.

The hard dependency on PyOpenSSL and forceful injection in requests/__init__.py has multiple disadvantages:

* Fedora requests RPM pulls in several additional packages that are not strictly required: PyOpenSSL, python-cryptography, python-asn1crypto, python-cffi

* PyOpenSSL uses libffi's closures for some callbacks. The callbacks are not compatible with SELinux's execmem rules, because they require dynamic code creation with writeable, executable memory pages. libffi has a workaround, but the workaround is not fork-safe. For example, I had to add a workaround to FreeIPA to prevent SELinux violations from PyOpenSSL.

* PyOpenSSL is a bit slower than ssl module. Performance used to be even worse.

Version-Release number of selected component (if applicable):
all

How reproducible:
always

Fix:
* Remove package requirements from spec file
* Remove https://github.com/requests/requests/blob/master/requests/__init__.py#L93-L102

Comment 1 Jeremy Cline 2018-04-16 15:29:45 UTC
Hi Christian,

python-urllib3 is the package that has the hard dependency on PyOpenSSL so I've dropped it in version 1.22-7.fc29. python-requests-2.18.4-4.fc29 has the injection patched out. I'll file bodhi updates on F28 and F27 for both as soon as the builds finish.

Comment 2 Fedora Update System 2018-04-16 15:52:54 UTC
python-urllib3-1.22-7.fc28 python-requests-2.18.4-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b

Comment 3 Fedora Update System 2018-04-16 15:54:18 UTC
python-urllib3-1.22-5.fc27 python-requests-2.18.4-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ae2c9dd927

Comment 4 Fedora Update System 2018-04-17 03:05:09 UTC
python-requests-2.18.4-4.fc28, python-urllib3-1.22-7.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b

Comment 5 Christian Heimes 2018-04-17 04:39:24 UTC
Wow, you are fast. Thanks a lot!

You can also remove python[23]-cryptography and python[23]-idna from python-urllib. The packages are only imported by urllib3.contrib.pyopenssl.py.

Comment 6 Fedora Update System 2018-04-18 03:00:21 UTC
python-requests-2.18.4-2.fc27, python-urllib3-1.22-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ae2c9dd927

Comment 7 Fedora Update System 2018-04-18 16:56:04 UTC
python-requests-2.18.4-4.fc28 python-urllib3-1.22-8.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b

Comment 8 Jeremy Cline 2018-04-18 16:58:22 UTC
python[23]-cryptography and python[23]-idna requirements have been dropped from python-urllib3 in python-urllib3-1.22-8. Thanks!

Comment 9 Fedora Update System 2018-04-19 08:53:23 UTC
python-requests-2.18.4-4.fc28, python-urllib3-1.22-8.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-66a798978b

Comment 10 Fedora Update System 2018-04-27 23:05:44 UTC
python-requests-2.18.4-4.fc28, python-urllib3-1.22-8.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2018-04-27 23:38:14 UTC
python-requests-2.18.4-2.fc27, python-urllib3-1.22-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.