[Bug 1820083] Re: TLS params not set for session

Heather Lemon 1820083 at bugs.launchpad.net
Wed Mar 3 22:43:34 UTC 2021 

** Description changed:

  [Impact]
  
  A connection session is opened, but the TLS parameters (timeout, ca,
  cert and key) are not actually set for the session.  This prevents use
  of TLS for the etcd3gw package.
  
  [Test Plan]
  
- There are two test workflows to follow.
- - testing the patch with self signed certs and etcd server running locally
- - running newly created unit tests for TLS params
- -----
  # Create self signed certs
  
  openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
  *make sure the key has an empty password
  
  #download binaries & launch etcd locally with TLS enabled
  
  wget https://github.com/etcd-
  io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
  
  tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
  
  cd etcd-v3.3.14-linux-amd64/
  sudo cp etcd etcdctl /usr/bin/
  
  # spin up ectd server
  etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
  *note I named my directory infra0
  
  #test connection with health endpoint:
  
  curl --cacert localhost.crt --key localhost.key --cert localhost.crt
  https://127.0.0.1:2379/health
  
  #if successful, the etcd server is configured with https
  {"health": "true"}
  
- View test changes inside of ~/python-
- etcd3gw-0.2.1/etcd3gw/tests/test_client.py
+ Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
  
- Run the newly added unit test, or run the whole test suite with: 
- python3 unittest 
+ def test_client_tls(self):
+ client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", cert_key="/root/etcdserver.key",
+         cert_cert="/root/etcdserver.crt", timeout=10)
+         client.create("foo", value="bar")
+         client.get("foo")
+ 
+ # Run the newly added unit test
  
  python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
  
  We get an error in both the unit test and an error from the etcd server
  unit test error we are looking for:
  
  OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate',
  'certificate verify failed')] related etcd error: I | embed: rejected
  connection from "127.0.0.1:44244" (error "remote error: tls: bad
  certificate", ServerName "")
  
  If you are testing with the added unit test, then make sure there is no
  etcd server running already.
  
  Unit test console output:
  
  python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
  /home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
    warnings.warn(
  127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
  .
  ----------------------------------------------------------------------
  Ran 1 test in 0.107s
  
  OK
+ ---------
+ The unit test I've made is an echo of the test_client.py code we've just updated. 
+ 
+ # 
+ Testing out the new unit test from the source code changes.
+ 
+ I have added a new unit test that tests the setting of TLS params. 
+ You can run the unit test with: 
+ 
+ python3 -m unittest
+ 
+ again make sure there's no etcd server already running.
+ 
  
  [Where Problems Could Occur]
- 
- -failed tls connections 
- -failed unit tests
  
  This adds TLS parameters (if provided) to the session, so regressions
  would involve failed connections, possibly those without TLS that had
  TLS params incorrectly provided before.
- 
- Unit test failures. Created a new unit test for testing the TLS session
- parameters. This also creates a mock etcd server to connect and test
- certification information of self signed certs.
  
  [Other]
  
  the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
  fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
  via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
  
  that commit is contained in version 0.2.2, which is not yet pulled into
  Debian, so this patch is needed in Debian, as well as Bionic and Focal.
  This package was not included in Xenial.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1820083

Title:
  TLS params not set for session

Status in python-etcd3gw package in Ubuntu:
  Fix Released
Status in python-etcd3gw source package in Bionic:
  In Progress
Status in python-etcd3gw source package in Cosmic:
  Won't Fix
Status in python-etcd3gw source package in Disco:
  Won't Fix
Status in python-etcd3gw source package in Eoan:
  Won't Fix
Status in python-etcd3gw source package in Focal:
  In Progress
Status in python-etcd3gw source package in Groovy:
  In Progress
Status in python-etcd3gw source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  A connection session is opened, but the TLS parameters (timeout, ca,
  cert and key) are not actually set for the session.  This prevents use
  of TLS for the etcd3gw package.

  [Test Plan]

  # Create self signed certs

  openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
  *make sure the key has an empty password

  #download binaries & launch etcd locally with TLS enabled

  wget https://github.com/etcd-
  io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz

  tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz

  cd etcd-v3.3.14-linux-amd64/
  sudo cp etcd etcdctl /usr/bin/

  # spin up ectd server
  etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
  *note I named my directory infra0

  #test connection with health endpoint:

  curl --cacert localhost.crt --key localhost.key --cert localhost.crt
  https://127.0.0.1:2379/health

  #if successful, the etcd server is configured with https
  {"health": "true"}

  Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py

  def test_client_tls(self):
  client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", cert_key="/root/etcdserver.key",
          cert_cert="/root/etcdserver.crt", timeout=10)
          client.create("foo", value="bar")
          client.get("foo")

  # Run the newly added unit test

  python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls

  We get an error in both the unit test and an error from the etcd
  server unit test error we are looking for:

  OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate',
  'certificate verify failed')] related etcd error: I | embed: rejected
  connection from "127.0.0.1:44244" (error "remote error: tls: bad
  certificate", ServerName "")

  If you are testing with the added unit test, then make sure there is
  no etcd server running already.

  Unit test console output:

  python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
  /home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
    warnings.warn(
  127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
  .
  ----------------------------------------------------------------------
  Ran 1 test in 0.107s

  OK
  ---------
  The unit test I've made is an echo of the test_client.py code we've just updated. 

  # 
  Testing out the new unit test from the source code changes.

  I have added a new unit test that tests the setting of TLS params. 
  You can run the unit test with: 

  python3 -m unittest

  again make sure there's no etcd server already running.

  
  [Where Problems Could Occur]

  This adds TLS parameters (if provided) to the session, so regressions
  would involve failed connections, possibly those without TLS that had
  TLS params incorrectly provided before.

  [Other]

  the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
  fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
  via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0

  that commit is contained in version 0.2.2, which is not yet pulled
  into Debian, so this patch is needed in Debian, as well as Bionic and
  Focal.  This package was not included in Xenial.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions

More information about the Ubuntu-sponsors mailing list