Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1054212: python-urllib3: Drop 02_require-cert-verification.patch (no longer needed)
10 views
Skip to first unread message
Stefano Rivera
Oct 19, 2023, 6:40:04 AM10/19/23
to
Source: python-urllib3
Version: 1.26.17-1
Severity: normal
X-Debbugs-Cc: jdst...@ubuntu.com, secu...@ubuntu.com
Hi,
In the process of packaging a library, I ran into a test failure caused
by urllib3's 02_require-cert-verification.patch
It looks like this patch is no longer required, but given the security
implications, I'm not just going to commit to git, but rather ask for
input.
Several relevant changes were made in urllib3 since the authoring of
this patch:
1. urllib3.contrib.pyopenssl now uses the operating system's default CA
certificates on inject.
https://github.com/urllib3/urllib3/pull/332
2. When ca_certs is given, cert_reqs defaults to 'CERT_REQUIRED'.
https://github.com/urllib3/urllib3/pull/650
With unpatched upstream urllib3 1.26.18 (not even 2.x):
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> http.request("GET", "https://expired.badssl.com/")
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1006)
>>> http.request("GET", "https://wrong.host.badssl.com/")
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='wrong.host.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname 'wrong.host.badssl.com' doesn't match either of '*.badssl.com', 'badssl.com'")))
>>> http.request("GET", "https://untrusted-root.badssl.com/")
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='untrusted-root.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')))
>>> http.request("GET", "https://self-signed.badssl.com/")
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='self-signed.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)')))
>>> http.request("GET", "https://revoked.badssl.com/")
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='revoked.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1006)')))
How do you feel about dropping it?
Stefano
Version: 1.26.17-1
Severity: normal
X-Debbugs-Cc: jdst...@ubuntu.com, secu...@ubuntu.com
Hi,
In the process of packaging a library, I ran into a test failure caused
by urllib3's 02_require-cert-verification.patch
It looks like this patch is no longer required, but given the security
implications, I'm not just going to commit to git, but rather ask for
input.
Several relevant changes were made in urllib3 since the authoring of
this patch:
1. urllib3.contrib.pyopenssl now uses the operating system's default CA
certificates on inject.
https://github.com/urllib3/urllib3/pull/332
2. When ca_certs is given, cert_reqs defaults to 'CERT_REQUIRED'.
https://github.com/urllib3/urllib3/pull/650
With unpatched upstream urllib3 1.26.18 (not even 2.x):
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> http.request("GET", "https://expired.badssl.com/")
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1006)
>>> http.request("GET", "https://wrong.host.badssl.com/")
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='wrong.host.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname 'wrong.host.badssl.com' doesn't match either of '*.badssl.com', 'badssl.com'")))
>>> http.request("GET", "https://untrusted-root.badssl.com/")
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='untrusted-root.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)')))
>>> http.request("GET", "https://self-signed.badssl.com/")
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='self-signed.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)')))
>>> http.request("GET", "https://revoked.badssl.com/")
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='revoked.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1006)')))
How do you feel about dropping it?
Stefano
0 new messages