[Bug 1805807] Re: python-httplib2 is not compatible with TLS 1.3 based python/ssl
Dimitri John Ledkov
launchpad at surgut.co.uk
Thu Dec 13 01:45:46 UTC 2018
** Description changed:
[Impact]
- * If and when openssl and python are upgraded with TLS 1.3 support,
+ * If and when openssl and python are upgraded with TLS 1.3 support,
httplib2 as shipped in bionic will fail to establish TLS connections,
due to failure to send hostname for SNI verification.
[Test Case]
- * Sample script that currently passes in bionic, but fails if one force
+ * Sample script that currently passes in bionic, but fails if one force
upgrades to a newer python2.7 built with openssl 1.1.1
- * Install the new openssl & python on bionic with:
+ * Install the new openssl & python on bionic with:
echo 'deb [trusted=yes] http://ppa.launchpad.net/ci-train-ppa-service/3540/ubuntu bionic main ' > /etc/apt/sources.list.d/xnox.list
apt update
apt install -y python2.7
apt download python-httplib2
- dpkg-deb -x ./python-httplib2_0.9.2+dfsg-1_all.deb /
-
-
- * Launch python interpreter and try to open a https url
- $ python
+ dpkg --force-breaks --install ./python-httplib2_0.9.2+dfsg-1ubuntu0.1_all.deb
+ * Launch python interpreter and try to open a https url
+ $ python
import httplib2
h = httplib2.Http(ca_certs='/etc/ssl/certs/ca-certificates.crt')
h.request("https://www.google.com")
Traceback (most recent call last):
- File "<stdin>", line 1, in <module>
- File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1608, in request
- (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
- File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1350, in _request
- (response, content) = self._conn_request(conn, request_uri, method, body, headers)
- File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in _conn_request
- conn.connect()
- File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1058, in connect
- raise SSLHandshakeError(e)
+ File "<stdin>", line 1, in <module>
+ File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1608, in request
+ (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
+ File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1350, in _request
+ (response, content) = self._conn_request(conn, request_uri, method, body, headers)
+ File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in _conn_request
+ conn.connect()
+ File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1058, in connect
+ raise SSLHandshakeError(e)
httplib2.SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
-
- * Instead of assertion being raised, the url should be retrieved successfully with page contents returned.
+ * Instead of assertion being raised, the url should be retrieved
+ successfully with page contents returned.
[Regression Potential]
- * Upstream patch is used, which is well-tested and used in cosmic/disco
+ * Upstream patch is used, which is well-tested and used in cosmic/disco
and uses python standard library ssl facilities which have been provided
since 2.7.9 (xenial+). In terms of connectivity correct SNI usage will
not result in connectivity failures.
[Other Info]
-
- * Upstream fix https://github.com/httplib2/httplib2/pull/13/files
+
+ * Upstream fix https://github.com/httplib2/httplib2/pull/13/files
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-httplib2 in Ubuntu.
https://bugs.launchpad.net/bugs/1805807
Title:
python-httplib2 is not compatible with TLS 1.3 based python/ssl
Status in python-httplib2 package in Ubuntu:
Fix Released
Status in python-httplib2 source package in Bionic:
Confirmed
Status in python-httplib2 package in Debian:
Fix Released
Bug description:
[Impact]
* If and when openssl and python are upgraded with TLS 1.3 support,
httplib2 as shipped in bionic will fail to establish TLS connections,
due to failure to send hostname for SNI verification.
[Test Case]
* Sample script that currently passes in bionic, but fails if one
force upgrades to a newer python2.7 built with openssl 1.1.1
* Install the new openssl & python on bionic with:
echo 'deb [trusted=yes] http://ppa.launchpad.net/ci-train-ppa-service/3540/ubuntu bionic main ' > /etc/apt/sources.list.d/xnox.list
apt update
apt install -y python2.7
apt download python-httplib2
dpkg --force-breaks --install ./python-httplib2_0.9.2+dfsg-1ubuntu0.1_all.deb
* Launch python interpreter and try to open a https url
$ python
import httplib2
h = httplib2.Http(ca_certs='/etc/ssl/certs/ca-certificates.crt')
h.request("https://www.google.com")
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1608, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1350, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in _conn_request
conn.connect()
File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1058, in connect
raise SSLHandshakeError(e)
httplib2.SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
* Instead of assertion being raised, the url should be retrieved
successfully with page contents returned.
[Regression Potential]
* Upstream patch is used, which is well-tested and used in
cosmic/disco and uses python standard library ssl facilities which
have been provided since 2.7.9 (xenial+). In terms of connectivity
correct SNI usage will not result in connectivity failures.
[Other Info]
* Upstream fix https://github.com/httplib2/httplib2/pull/13/files
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1805807/+subscriptions
More information about the foundations-bugs
mailing list