Bug 966004 - NameError on server certificate validation attempt on rhel5
Summary: NameError on server certificate validation attempt on rhel5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise MRG
Classification: Red Hat
Component: python-qpid
Version: Development
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: 2.4.4
: ---
Assignee: Ken Giusti
QA Contact: Leonid Zhaldybin
URL:
Whiteboard:
Depends On:
Blocks: 975744
TreeView+ depends on / blocked
 
Reported: 2013-05-22 09:33 UTC by Petr Matousek
Modified: 2014-11-09 22:39 UTC (History)
5 users (show)

Fixed In Version: python-qpid-0.18-6.el5_9
Doc Type: Bug Fix
Doc Text:
Cause: The version of Python included in RHEL 5 does not support certificate verification. Should the application attempt to use certificate verification - by supplying a CA certificate file - the python-qpid code would attempt to issue an error exception. The exception it attempted to issue was SSLError, which is also not defined by the version of Python in RHEL 5. Consequence: Since qpid-python attempted to use an undefined variable - SSLError - the Python interpreter throws an unknown name error (NameError) instead of issuing the warning about certificate validation. Fix: The qpid-python code was modified to avoid using the undefined SSLError exception, and instead use a pre-defined socket.error exception for the unsupported certificate verification operation. Result: When attempting to use the unsupported certificate validation feature, a proper error exception is thrown.
Clone Of:
: 975744 (view as bug list)
Environment:
Last Closed: 2014-02-11 08:29:34 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Apache JIRA QPID-4882 0 None None None Never
Red Hat Product Errata RHBA-2014:0129 0 normal SHIPPED_LIVE Red Hat Enterprise MRG Messaging 2 update 2014-02-11 13:28:05 UTC

Description Petr Matousek 2013-05-22 09:33:08 UTC 
Description of problem:

The validation of server certificate is not supported on rhel5. There is an appropriate error reported by the client, which is correct:
    raise SSLError("This version of Python does not support verification of the peer's certificate.")

But the 'SSLError' class is not known, so the client ends with a NameError:
NameError: global name 'SSLError' is not defined

See additional info for details.

Version-Release number of selected component (if applicable):
python-qpid-0.18-4

How reproducible:
100%

Steps to Reproduce:
1. setup ssl broker
2. connect to the broker using python client, request server certificate validation by supplying ssl_trustfile connection option
3. NameError

Actual results:
NameError on server certificate validation attempt

Expected results:
Appropriate exception is displayed to the user

Additional info:

* qc2_drain.py is a modified version of python drain example that supports connection options

# ~/qc2_drain.py -b amqps://$(hostname):5671 "amq.direct/test" --connection-options "{ssl_certfile:/var/lib/qpidd/qpid_nss_db/client.pem, ssl_trustfile:/var/lib/qpidd/qpid_nss_db/rootca.crt}"
Traceback (most recent call last):
  File "/root/qc2_drain.py", line 171, in ?
    conn.open()
  File "<string>", line 6, in open
  File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 261, in open
    self.attach()
  File "<string>", line 6, in attach
  File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 279, in attach
    self._ewait(lambda: self._transport_connected and not self._unlinked())
  File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 214, in _ewait
    self.check_error()
  File "/usr/lib/python2.4/site-packages/qpid/messaging/endpoints.py", line 207, in check_error
    raise self.error
qpid.messaging.exceptions.InternalError: Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/qpid/messaging/driver.py", line 509, in dispatch
    self.connect()
  File "/usr/lib/python2.4/site-packages/qpid/messaging/driver.py", line 533, in connect
    self._transport = trans(self.connection, host, port)
  File "/usr/lib/python2.4/site-packages/qpid/messaging/transports.py", line 79, in __init__
    raise SSLError("This version of Python does not support verification of the peer's certificate.")
NameError: global name 'SSLError' is not defined
Comment 1 Ken Giusti 2013-05-23 14:41:28 UTC 
Fixed upstream:

http://svn.apache.org/viewvc?view=revision&revision=1485741
Comment 4 Leonid Zhaldybin 2014-01-23 15:21:40 UTC 
Tested on RHEL5.10 (both i386 and x86_64). This issue has been fixed.

Packages used for testing:

python-qpid-0.18-8.el5_10
python-qpid-qmf-0.18-20.el5_10
qpid-cpp-client-0.18-20.el5_10
qpid-cpp-client-devel-0.18-20.el5_10
qpid-cpp-client-devel-docs-0.18-20.el5_10
qpid-cpp-client-rdma-0.18-20.el5_10
qpid-cpp-client-ssl-0.18-20.el5_10
qpid-cpp-server-0.18-20.el5_10
qpid-cpp-server-cluster-0.18-20.el5_10
qpid-cpp-server-devel-0.18-20.el5_10
qpid-cpp-server-ha-0.18-20.el5_10
qpid-cpp-server-rdma-0.18-20.el5_10
qpid-cpp-server-ssl-0.18-20.el5_10
qpid-cpp-server-store-0.18-20.el5_10
qpid-cpp-server-xml-0.18-20.el5_10
qpid-java-client-0.18-8.el5_9
qpid-java-common-0.18-8.el5_9
qpid-java-example-0.18-8.el5_9
qpid-jca-0.18-8.el5
qpid-jca-xarecovery-0.18-8.el5
qpid-jca-zip-0.18-8.el5
qpid-qmf-0.18-20.el5_10
qpid-qmf-devel-0.18-20.el5_10
qpid-tests-0.18-2.el5
qpid-tools-0.18-10.el5_9
rh-qpid-cpp-tests-0.18-20.el5_10
ruby-qpid-qmf-0.18-20.el5_10

-> VERIFIED
Comment 6 errata-xmlrpc 2014-02-11 08:29:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0129.html
Note You need to log in before you can comment on or make changes to this bug.