[Bug 1815439] Re: python-boto needs to support SNI for OpenSSL 1.1.1

[Dimitri John Ledkov]

** Description changed:

  [Impact]
  
-  * OpenSSL 1.1.1 performs SNI hostname verification, therefore hostname
+  * OpenSSL 1.1.1 performs SNI hostname verification, therefore hostname
  SSL context option must be set when establishing the connection,
  otherwise, validation of SNI certificates fail and thus resulting in
  lack of connectivity.
  
  [Test Case]
  
-  * use python-boto to connect to an SNI tls protected host
+  * use python-boto to connect to an SNI tls protected host
  
  [Regression Potential]
  
-  * change is compatible with pythons/openssl versions shipped in bionic/cosmic-release
-  * change is from upstream / tested in debian & disco
-  * change improves security, and is compatible with deployed servers out there
-  * hosts with certificates not matching their actual hostname will remain invalid/untrusted
+  * change is compatible with pythons/openssl versions shipped in bionic/cosmic-release
+  * change is from upstream / tested in debian & disco
+  * change improves security, and is compatible with deployed servers out there
+  * hosts with certificates not matching their actual hostname will remain invalid/untrusted
+ 
+ [Additional info]
+ To install python & openssl 1.1.1 on Bionic you may enable and use the below silo, which will then exhibit the enforcement of SNI hostname verification.
+ 
+ sudo add-apt-repository ppa:ci-train-ppa-service/3473
+ sudo apt-get update

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-boto in Ubuntu.
https://bugs.launchpad.net/bugs/1815439

Title:
  python-boto needs to support SNI for OpenSSL 1.1.1

Status in python-boto package in Ubuntu:
  Fix Released
Status in python-boto source package in Bionic:
  In Progress
Status in python-boto source package in Cosmic:
  In Progress
Status in python-boto package in Debian:
  Fix Released

Bug description:
  [Impact]

   * OpenSSL 1.1.1 performs SNI hostname verification, therefore
  hostname SSL context option must be set when establishing the
  connection, otherwise, validation of SNI certificates fail and thus
  resulting in lack of connectivity.

  [Test Case]

   * use python-boto to connect to an SNI tls protected host

  [Regression Potential]

   * change is compatible with pythons/openssl versions shipped in bionic/cosmic-release
   * change is from upstream / tested in debian & disco
   * change improves security, and is compatible with deployed servers out there
   * hosts with certificates not matching their actual hostname will remain invalid/untrusted

  [Additional info]
  To install python & openssl 1.1.1 on Bionic you may enable and use the below silo, which will then exhibit the enforcement of SNI hostname verification.

  sudo add-apt-repository ppa:ci-train-ppa-service/3473
  sudo apt-get update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-boto/+bug/1815439/+subscriptions