RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1842314 - AddTrust certificate expiration causes Python to fail on connections
Summary: AddTrust certificate expiration causes Python to fail on connections
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: python3
Version: 7.8
Hardware: All
OS: Linux
unspecified
high
Target Milestone: rc
: ---
Assignee: Python Maintainers
QA Contact: RHEL CS Apps Subsystem QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-05-31 19:09 UTC by Erinn Looney-Triggs
Modified: 2022-07-06 03:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-07-15 12:04:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
trustflag.py demo script (1.02 KB, text/plain)
2020-06-03 13:01 UTC, Christian Heimes 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1842174 0 high CLOSED AddTrust External Root CA certificate expiration causes cert validation issue 2023-12-15 18:02:16 UTC

Description Erinn Looney-Triggs 2020-05-31 19:09:26 UTC 
Description of problem:
It appears that python36 https validation is broken with the expiration of the addtrust root, whereas python2 is not broken. Substituted example.com but just assume it is a site signed by sectigo. I am using requests here, but the issue appears to lay in or below the 'ssl' module.


Python 2.7.5 (default, Sep 26 2019, 13:23:47) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get('https://example.com/')
>>>

Whereas:

Python 3.6.8 (default, Sep 26 2019, 11:57:09) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> r = requests.get('https://example.com/')
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 672, in urlopen
    chunked=chunked,
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 994, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connection.py", line 394, in connect
    ssl_context=context,
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/util/ssl_.py", line 370, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib64/python3.6/ssl.py", line 365, in wrap_socket
    _context=self, _session=session)
  File "/usr/lib64/python3.6/ssl.py", line 773, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 1033, in do_handshake
    self._sslobj.do_handshake()
  File "/usr/lib64/python3.6/ssl.py", line 645, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 438, in send
    timeout=timeout
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 720, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
requests.packages.urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/site-packages/requests/api.py", line 72, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/api.py", line 58, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 530, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 651, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 502, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='exmaple.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:877)'),))

Version-Release number of selected component (if applicable):
python3-3.6.8-13.el7.x86_64
python-2.7.5-88.el7.x86_64


How reproducible:

import socket, ssl

HOST, PORT = 'some.sectigo.signed.site', 443

def handle(conn):
    conn.write(b'GET / HTTP/1.1\n')
    print(conn.recv().decode())

def main():
    sock = socket.socket(socket.AF_INET)
    context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
    context.options |= ssl.OP_NO_TLSv1 | ssl.OP_NO_TLSv1_1  # optional
    conn = context.wrap_socket(sock, server_hostname=HOST)
    try:
        conn.connect((HOST, PORT))
        handle(conn)
    finally:
        conn.close()

if __name__ == '__main__':
    main()


Steps to Reproduce:
1. Run the above code using python3 and python2


Actual results:

It fails under python3 with certificate validation errors

Expected results:

It will work under both or fail under both

Additional info:
Comment 3 Christian Heimes 2020-06-03 12:25:05 UTC 
Could you please provide package versions of openssl, python-requests, and RHEL 7 version?
Comment 4 Christian Heimes 2020-06-03 13:01:58 UTC 
Created attachment 1694827 [details]
trustflag.py demo script

I cannot reproduce the problem on RHEL 7.8 with packages

python-2.7.5-88.el7.x86_64
openssl-1.0.2k-19.el7.x86_64
python3-3.6.8-13.el7.x86_64
ca-certificates-2019.2.32-76.el7_7.noarch

With standard ssl module and builtin urllib / urllib2 Python 2 is failing and Python 3 is passing just fine. The test script also shows that Python 3 has X509_V_FLAG_TRUSTED_FIRST correctly set and Python 2 is missing patch https://github.com/python/cpython/commit/b1ebba5bd569ede9b6f9573d6618fb3a6abddae5 from upstream.

The attached test script prints:

# python3 trustflag.py
3.6.8 (default, Sep 26 2019, 11:57:09) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
OpenSSL 1.0.2k-fips  26 Jan 2017

Try with default verify flags
verify_flags 0x8000
success

Try again with X509_V_FLAG_TRUSTED_FIRST
verify_flags 0x8000
success

# python2 trustflag.py
2.7.5 (default, Sep 26 2019, 13:23:47) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]
OpenSSL 1.0.2k-fips  26 Jan 2017

Try with default verify flags
verify_flags 0x0L
FAILED
<urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)>

Try again with X509_V_FLAG_TRUSTED_FIRST
verify_flags 0x8000L
success
Comment 5 Christian Heimes 2020-06-03 13:12:58 UTC 
requests on Python 2 is failing for me and there is no requests for Python 3 on RHEL 7. How did you install requests? If you used a virtual environment, then you may have pulled on other dependencies from PyPI like PyOpenSSL and certifi.

# yum install python3-requests
No package python3-requests available.

# rpm -qa python-requests
python-requests-2.6.0-8.el7_7.noarch

# python2
Python 2.7.5 (default, Sep 26 2019, 13:23:47) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-39)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://addtrust-chain.demo.sslmate.com")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 68, in get
    return request('get', url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 50, in request
    response = session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 486, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 598, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618)
Comment 6 Petr Viktorin (pviktori) 2020-06-18 14:34:35 UTC 
How did you install requests?
Comment 7 Petr Viktorin (pviktori) 2020-07-15 12:04:19 UTC 
Closing, feel free to reopen if you can answer.
Note You need to log in before you can comment on or make changes to this bug.