[Bug 1815439] Re: python-boto needs to support SNI for OpenSSL 1.1.1
Dimitri John Ledkov
launchpad at surgut.co.uk
Tue Feb 12 10:55:48 UTC 2019
Doing same test on bionic, but first unpacking libssl1.1 from the silo
ppa, withough upgrading python-boto
$ sudo dpkg-deb -x ./libssl1.1_1.1.1-1ubuntu2.1~18.04.0_amd64.deb /
And getting the error:
$ dpkg-query -W python-boto
python-boto 2.44.0-1ubuntu2
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed
(_ssl.c:726)
With:
$ dpkg-query -W libssl1.1 python-boto
libssl1.1:amd64 1.1.1-1ubuntu2.1~18.04.0
python-boto 2.44.0-1ubuntu2.18.04.0
Things are fine, and i get the results back quickly.
** Tags removed: verification-needed verification-needed-bionic
** Tags added: verification-done verification-done-bionic
** Description changed:
[Impact]
* OpenSSL 1.1.1 performs SNI hostname verification, therefore hostname
SSL context option must be set when establishing the connection,
otherwise, validation of SNI certificates fail and thus resulting in
lack of connectivity.
[Test Case]
- * use python-boto to connect to an SNI tls protected host
+ * use python-boto to connect to an SNI tls protected host, e.g. GCE
+ google storage using legacy .boto
[Regression Potential]
* change is compatible with pythons/openssl versions shipped in bionic/cosmic-release
* change is from upstream / tested in debian & disco
* change improves security, and is compatible with deployed servers out there
* hosts with certificates not matching their actual hostname will remain invalid/untrusted
[Additional info]
To install python & openssl 1.1.1 on Bionic you may enable and use the below silo, which will then exhibit the enforcement of SNI hostname verification.
sudo add-apt-repository ppa:ci-train-ppa-service/3473
sudo apt-get update
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to python-boto in Ubuntu.
https://bugs.launchpad.net/bugs/1815439
Title:
python-boto needs to support SNI for OpenSSL 1.1.1
Status in python-boto package in Ubuntu:
Fix Released
Status in python-boto source package in Bionic:
Fix Committed
Status in python-boto source package in Cosmic:
Fix Committed
Status in python-boto package in Debian:
Fix Released
Bug description:
[Impact]
* OpenSSL 1.1.1 performs SNI hostname verification, therefore
hostname SSL context option must be set when establishing the
connection, otherwise, validation of SNI certificates fail and thus
resulting in lack of connectivity.
[Test Case]
* use python-boto to connect to an SNI tls protected host, e.g. GCE
google storage using legacy .boto
[Regression Potential]
* change is compatible with pythons/openssl versions shipped in bionic/cosmic-release
* change is from upstream / tested in debian & disco
* change improves security, and is compatible with deployed servers out there
* hosts with certificates not matching their actual hostname will remain invalid/untrusted
[Additional info]
To install python & openssl 1.1.1 on Bionic you may enable and use the below silo, which will then exhibit the enforcement of SNI hostname verification.
sudo add-apt-repository ppa:ci-train-ppa-service/3473
sudo apt-get update
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-boto/+bug/1815439/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list