[Bug 1815439] Re: python-boto needs to support SNI for OpenSSL 1.1.1

Dimitri John Ledkov launchpad at surgut.co.uk
Tue Feb 12 10:23:36 UTC 2019 

Simple:

import boto
import gcs_oauth2_boto_plugin
boto.storage_uri('', 'gs').get_all_buckets()

Fails with:

/usr/lib/python2.7/dist-packages/boto/connection.pyc in _mexe(self, request, sender, override_num_retries, retry_handler)
   1028             raise BotoServerError(response.status, response.reason, body)
   1029         elif ex:
-> 1030             raise ex
   1031         else:
   1032             msg = 'Please report this exception as a Boto Issue!'

SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:727

and takes a long time to timeout / possibly it retries many times.

$ dpkg-query -W python-boto
python-boto	2.44.0-1ubuntu2

upgrading

$ dpkg-query -W python-boto
python-boto	2.44.0-1ubuntu2.18.10.0

the call now succeeds very quickly.

In [6]: boto.storage_uri('ubuntu-foundations', 'gs').get_all_buckets(headers=header_values)
Out[6]: 
[<Bucket: >,
 <Bucket: >,
 <Bucket: >,
 <Bucket: >]


** Tags removed: verification-needed-cosmic
** Tags added: verification-done-cosmic

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-boto in Ubuntu.
https://bugs.launchpad.net/bugs/1815439

Title:
  python-boto needs to support SNI for OpenSSL 1.1.1

Status in python-boto package in Ubuntu:
  Fix Released
Status in python-boto source package in Bionic:
  Fix Committed
Status in python-boto source package in Cosmic:
  Fix Committed
Status in python-boto package in Debian:
  Fix Released

Bug description:
  [Impact]

   * OpenSSL 1.1.1 performs SNI hostname verification, therefore
  hostname SSL context option must be set when establishing the
  connection, otherwise, validation of SNI certificates fail and thus
  resulting in lack of connectivity.

  [Test Case]

   * use python-boto to connect to an SNI tls protected host

  [Regression Potential]

   * change is compatible with pythons/openssl versions shipped in bionic/cosmic-release
   * change is from upstream / tested in debian & disco
   * change improves security, and is compatible with deployed servers out there
   * hosts with certificates not matching their actual hostname will remain invalid/untrusted

  [Additional info]
  To install python & openssl 1.1.1 on Bionic you may enable and use the below silo, which will then exhibit the enforcement of SNI hostname verification.

  sudo add-apt-repository ppa:ci-train-ppa-service/3473
  sudo apt-get update

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-boto/+bug/1815439/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list