[Bug 1815439] [NEW] python-boto needs to support SNI for OpenSSL 1.1.1

Dimitri John Ledkov launchpad at surgut.co.uk
Mon Feb 11 10:50:43 UTC 2019 

Public bug reported:

[Impact]

 * OpenSSL 1.1.1 performs SNI hostname verification, therefore hostname
SSL context option must be set when establishing the connection,
otherwise, validation of SNI certificates fail and thus resulting in
lack of connectivity.

[Test Case]

 * use python-boto to connect to an SNI tls protected host

[Regression Potential]

 * change is compatible with pythons/openssl versions shipped in bionic/cosmic-release
 * change is from upstream / tested in debian & disco
 * change improves security, and is compatible with deployed servers out there
 * hosts with certificates not matching their actual hostname will remain invalid/untrusted

** Affects: python-boto (Ubuntu)
     Importance: Undecided
         Status: Fix Released

** Affects: python-boto (Ubuntu Bionic)
     Importance: Undecided
         Status: In Progress

** Affects: python-boto (Ubuntu Cosmic)
     Importance: Undecided
         Status: In Progress

** Affects: python-boto (Debian)
     Importance: Unknown
         Status: Unknown

** Also affects: python-boto (Ubuntu Cosmic)
   Importance: Undecided
       Status: New

** Also affects: python-boto (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Changed in: python-boto (Ubuntu)
       Status: New => Fix Released

** Changed in: python-boto (Ubuntu Bionic)
       Status: New => In Progress

** Changed in: python-boto (Ubuntu Cosmic)
       Status: New => In Progress

** Bug watch added: Debian Bug tracker #909545
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909545

** Also affects: python-boto (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909545
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-boto in Ubuntu.
https://bugs.launchpad.net/bugs/1815439

Title:
  python-boto needs to support SNI for OpenSSL 1.1.1

Status in python-boto package in Ubuntu:
  Fix Released
Status in python-boto source package in Bionic:
  In Progress
Status in python-boto source package in Cosmic:
  In Progress
Status in python-boto package in Debian:
  Unknown

Bug description:
  [Impact]

   * OpenSSL 1.1.1 performs SNI hostname verification, therefore
  hostname SSL context option must be set when establishing the
  connection, otherwise, validation of SNI certificates fail and thus
  resulting in lack of connectivity.

  [Test Case]

   * use python-boto to connect to an SNI tls protected host

  [Regression Potential]

   * change is compatible with pythons/openssl versions shipped in bionic/cosmic-release
   * change is from upstream / tested in debian & disco
   * change improves security, and is compatible with deployed servers out there
   * hosts with certificates not matching their actual hostname will remain invalid/untrusted

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-boto/+bug/1815439/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list