[Bug 1805807] [NEW] python-httplib2 is not compatible with TLS 1.3 based python/ssl

Dimitri John Ledkov launchpad at surgut.co.uk
Thu Nov 29 10:15:55 UTC 2018 

Public bug reported:

[Impact]

 * If and when openssl and python are upgraded with TLS 1.3 support,
httplib2 as shipped in bionic will fail to establish TLS connections,
due to failure to send hostname for SNI verification.

[Test Case]

 * Sample script that currently passes in bionic, but fails if one force
upgrades to a newer python2.7 built with openssl 1.1.1

 * Install the new openssl & python on bionic with:

echo 'deb [trusted=yes] http://ppa.launchpad.net/ci-train-ppa-service/3540/ubuntu bionic main ' > /etc/apt/sources.list.d/xnox.list
apt update
apt install -y python2.7
apt download python-httplib2
dpkg-deb -x ./python-httplib2_0.9.2+dfsg-1_all.deb /


 * Launch python interpreter and try to open a https url
  $ python
import httplib2
h = httplib2.Http(ca_certs='/etc/ssl/certs/ca-certificates.crt')
h.request("https://www.google.com")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1608, in request
    (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1350, in _request
    (response, content) = self._conn_request(conn, request_uri, method, body, headers)
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in _conn_request
    conn.connect()
  File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1058, in connect
    raise SSLHandshakeError(e)
httplib2.SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)


 * Instead of assertion being raised, the url should be retrieved successfully with page contents returned.

[Regression Potential]

 * Upstream patch is used, which is well-tested and used in cosmic/disco
and uses python standard library ssl facilities which have been provided
since 2.7.9 (xenial+). In terms of connectivity correct SNI usage will
not result in connectivity failures.

[Other Info]
 
 * Upstream fix https://github.com/httplib2/httplib2/pull/13/files

** Affects: python-httplib2 (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: python-httplib2 (Ubuntu Bionic)
     Importance: Undecided
         Status: Confirmed

** Affects: python-httplib2 (Debian)
     Importance: Unknown
         Status: Unknown

** Also affects: python-httplib2 (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Changed in: python-httplib2 (Ubuntu)
       Status: New => Fix Released

** Changed in: python-httplib2 (Ubuntu Bionic)
       Status: New => Confirmed

** Bug watch added: Debian Bug tracker #907278
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907278

** Also affects: python-httplib2 (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907278
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python-httplib2 in Ubuntu.
https://bugs.launchpad.net/bugs/1805807

Title:
  python-httplib2 is not compatible with TLS 1.3 based python/ssl

Status in python-httplib2 package in Ubuntu:
  Fix Released
Status in python-httplib2 source package in Bionic:
  Confirmed
Status in python-httplib2 package in Debian:
  Unknown

Bug description:
  [Impact]

   * If and when openssl and python are upgraded with TLS 1.3 support,
  httplib2 as shipped in bionic will fail to establish TLS connections,
  due to failure to send hostname for SNI verification.

  [Test Case]

   * Sample script that currently passes in bionic, but fails if one
  force upgrades to a newer python2.7 built with openssl 1.1.1

   * Install the new openssl & python on bionic with:

  echo 'deb [trusted=yes] http://ppa.launchpad.net/ci-train-ppa-service/3540/ubuntu bionic main ' > /etc/apt/sources.list.d/xnox.list
  apt update
  apt install -y python2.7
  apt download python-httplib2
  dpkg-deb -x ./python-httplib2_0.9.2+dfsg-1_all.deb /

  
   * Launch python interpreter and try to open a https url
    $ python
  import httplib2
  h = httplib2.Http(ca_certs='/etc/ssl/certs/ca-certificates.crt')
  h.request("https://www.google.com")
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1608, in request
      (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
    File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1350, in _request
      (response, content) = self._conn_request(conn, request_uri, method, body, headers)
    File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in _conn_request
      conn.connect()
    File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1058, in connect
      raise SSLHandshakeError(e)
  httplib2.SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)

  
   * Instead of assertion being raised, the url should be retrieved successfully with page contents returned.

  [Regression Potential]

   * Upstream patch is used, which is well-tested and used in
  cosmic/disco and uses python standard library ssl facilities which
  have been provided since 2.7.9 (xenial+). In terms of connectivity
  correct SNI usage will not result in connectivity failures.

  [Other Info]
   
   * Upstream fix https://github.com/httplib2/httplib2/pull/13/files

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1805807/+subscriptions

More information about the foundations-bugs mailing list