[Bug 1879310] [NEW] python package does not depend on ca-certificates

Christian Heimes 1879310 at bugs.launchpad.net
Mon May 18 11:20:11 UTC 2020 

Public bug reported:

(Affects all Python versions)

Python has no dependency on ca-certificates. Installing Python on a
minimal Debian or Ubuntu container image does not pull in ca-
certificates. This results in certificate validation issues as no trust
anchors are available. Python's ssl module and
ssl.create_default_context() depend on default root CA packages being
available.

Since Python 2.7.9 and 3.4.0 the ssl module encourages developers to use
ssl.create_default_context() to create a working and securely configured
SSL context object. The implementation assumes that the platform has a
correctly configured OpenSSL libssl that can load the default trust
anchors (root CA certificates) with SSL_CTX_set_default_verify_paths().

Reproducer:

# docker run -ti ubuntu:bionic /bin/bash
# apt-get update
# apt-get install -y python3

# ls -la /etc/ssl/certs/ca-certificates.crt
ls: cannot access '/etc/ssl/certs/ca-certificates.crt': No such file or directory
# dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name            Version      Architecture Description
+++-===============-============-============-=================================
un  ca-certificates <none>       <none>       (no description available)

# python3 -c 'from urllib.request import urlopen; urlopen("https://www.python.org")'
Traceback (most recent call last):
...
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
# echo $?
1

# apt-get install -y ca-certificates
# python3 -c 'from urllib.request import urlopen; urlopen("https://www.python.org")'
root at seneca:/# echo $?
0


Proposed solution:
Either all Python interpreter packages or libssl should pull in ca-certificates.

I have reported the bug on Debian's bug tracker as well,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960869

** Affects: python3.6 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to python3.6 in Ubuntu.
https://bugs.launchpad.net/bugs/1879310

Title:
  python package does not depend on ca-certificates

Status in python3.6 package in Ubuntu:
  New

Bug description:
  (Affects all Python versions)

  Python has no dependency on ca-certificates. Installing Python on a
  minimal Debian or Ubuntu container image does not pull in ca-
  certificates. This results in certificate validation issues as no
  trust anchors are available. Python's ssl module and
  ssl.create_default_context() depend on default root CA packages being
  available.

  Since Python 2.7.9 and 3.4.0 the ssl module encourages developers to
  use ssl.create_default_context() to create a working and securely
  configured SSL context object. The implementation assumes that the
  platform has a correctly configured OpenSSL libssl that can load the
  default trust anchors (root CA certificates) with
  SSL_CTX_set_default_verify_paths().

  Reproducer:

  # docker run -ti ubuntu:bionic /bin/bash
  # apt-get update
  # apt-get install -y python3

  # ls -la /etc/ssl/certs/ca-certificates.crt
  ls: cannot access '/etc/ssl/certs/ca-certificates.crt': No such file or directory
  # dpkg -l ca-certificates
  Desired=Unknown/Install/Remove/Purge/Hold
  | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
  |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
  ||/ Name            Version      Architecture Description
  +++-===============-============-============-=================================
  un  ca-certificates <none>       <none>       (no description available)

  # python3 -c 'from urllib.request import urlopen; urlopen("https://www.python.org")'
  Traceback (most recent call last):
  ...
  urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
  # echo $?
  1

  # apt-get install -y ca-certificates
  # python3 -c 'from urllib.request import urlopen; urlopen("https://www.python.org")'
  root at seneca:/# echo $?
  0

  
  Proposed solution:
  Either all Python interpreter packages or libssl should pull in ca-certificates.

  I have reported the bug on Debian's bug tracker as well,
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960869

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.6/+bug/1879310/+subscriptions

More information about the foundations-bugs mailing list