2009550 – "DeprecationWarning: ssl.match_hostname() is deprecated" on Fedora 35 / Rawhide (Python 3.10)

Bug 2009550 - "DeprecationWarning: ssl.match_hostname() is deprecated" on Fedora 35 / Rawhide (Python 3.10)

Summary: "DeprecationWarning: ssl.match_hostname() is deprecated" on Fedora 35 / Rawhi...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	python-urllib3
Sub Component:
Version:	35
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Fedora Infrastructure SIG
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2036692
TreeView+	depends on / blocked

Reported:	2021-09-30 23:00 UTC by Adam Williamson
Modified:	2022-01-08 01:19 UTC (History)
CC List:	7 users (show)
Fixed In Version:	python-urllib3-1.26.7-2.fc35
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-01-08 01:19:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	urllib3 urllib3 issues 2200	None	closed	Python 3.10 ssl module deprecations	2021-09-30 23:01:01 UTC
Github	urllib3 urllib3 issues 2439	None	open	Vendor ssl.match_hostname to avoid Python 3.10 deprecation warning	2021-10-01 18:48:07 UTC
Github	urllib3 urllib3 pull 2448	None	Merged	[1.26] Vendor ssl.match_hostname to avoid Python 3.10 deprecation warning	2021-10-12 21:30:50 UTC

Description Adam Williamson 2021-09-30 23:00:37 UTC

Doing just about anything in anything that uses urllib3 (which is a ton of things) causes this DeprecationWarning:

/usr/lib/python3.10/site-packages/urllib3/connection.py:512: DeprecationWarning: ssl.match_hostname() is deprecated
  match_hostname(cert, asserted_hostname)

I tested with 1.26.7 (just released), but it still has the issue. There's also another deprecation warning I see in some cases:

    /usr/lib/python3.10/site-packages/urllib3/util/retry.py:38: DeprecationWarning: Using 'Retry.DEFAULT_METHOD_WHITELIST' is deprecated and will be removed in v2.0. Use 'Retry.DEFAULT_ALLOWED_METHODS' instead

I added a comment to an upstream issue on this - https://github.com/urllib3/urllib3/issues/2200#issuecomment-931759912 .

Comment 1 Adam Williamson 2021-09-30 23:01:50 UTC

oh, that second one is probably a deprecation warning in the app I'm running, ignore that. But the other one is in urllib3 itself.

Comment 2 Miro Hrončok 2021-10-01 18:05:56 UTC

Note that the upstream's response indicates they will resolve this by bundling.

Comment 3 Adam Williamson 2021-10-01 18:45:52 UTC

well, sorta, but then the commit from the main branch that they reference - https://github.com/urllib3/urllib3/pull/2198/files - doesn't seem to do that, exactly. or if it does, it just moved it from one place where it already was (`_implementation.py`), to another. I had actually run across that commit already in looking into this issue, but wasn't entirely clear on exactly what was going on there.

Comment 4 Miro Hrončok 2021-10-01 21:34:38 UTC

We currently remove urllib3/packages/ssl_match_hostname/_implementation.py in %install.

Comment 5 Adam Williamson 2021-10-12 21:30:30 UTC

so upstream has resolved this now:

https://github.com/urllib3/urllib3/pull/2448

Miro, do you think we can just backport this, or what else would you prefer to do?

Comment 6 Miro Hrončok 2021-10-12 22:55:23 UTC

If we are OK with the idea of bundling, I'd do so, yes.

Comment 7 Miro Hrončok 2021-10-12 23:22:47 UTC

Looking into it more, this is clearly a piece of code that Python upstream no longer wishes to maintain and urrlib3 upstream does. Hence, I think forcibly unbundling it would be the wrong thing to do.

We just need to update the license from plain MIT to MIT and Python.

Comment 8 Adam Williamson 2021-10-13 06:02:19 UTC

yeah, that was my take too, the deprecationwarning is literally Python telling us they don't want us to use it any more.

Comment 9 Adam Williamson 2022-01-04 18:17:44 UTC

So, uh, I came back to this today, and I think all that work we got upstream to do was unnecessary. Upstream was already set to vendor it on Python 3.10+. All we had to do was stop explicitly unbundling it downstream. Oh well, let's not tell them. :D

I'm sending a build that drops our unbundling stuff, but doesn't backport the upstream PR as it doesn't apply immediately and doesn't seem to be necessary. Just removing the unbundling makes the deprecation warnings go away in my tests.

Comment 10 Fedora Update System 2022-01-04 18:50:00 UTC

FEDORA-2022-104704f78a has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-104704f78a

Comment 11 Fedora Update System 2022-01-05 01:15:12 UTC

FEDORA-2022-104704f78a has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-104704f78a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-104704f78a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2022-01-08 01:19:26 UTC

FEDORA-2022-104704f78a has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.