Project

Profile

Help

Issue #1228

closed

pic cannot work with self-signed certs on f22+

Added by bmbouter over 8 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Easy Fix, Pulp 2
Sprint:
Quarter:

Description

In 2.7.9+ the default SSL verification behavior switched to start validating SSL certs which stops self-signed certs from being trusted. This was done through PIP 476. I was told in #python on Fedora that the default switch occurred in Python 2.7.9+. Fedora 22 is the first OS affected by this bug since it carries 2.7.10. Fedora 21 carries 2.7.8.

When I try to use pic from a Fedora 22 machine to access a Pulp installation with self-signed certificates I cannot use pic. When I make a request I receive the following traceback:

Traceback (most recent call last):
  File "<stdin>", line 5, in <module>
  File "/home/bmbouter/Documents/pulp/common/pulp/common/pic.py", line 113, in POST
    return _request('POST', path, body)
  File "/home/bmbouter/Documents/pulp/common/pulp/common/pic.py", line 80, in _request
    headers=_auth_header())
  File "/usr/lib64/python2.7/httplib.py", line 1053, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1093, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1049, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 893, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 855, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1274, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 352, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 579, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 808, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

I'll suggest the way to fix this is to introduce an option to connect() called verify_ssl which will default to True. I expect to receive no tracebacks when I call connect() like:

pic.connect(verify_ssl=False)
Actions #1

Updated by bmbouter over 8 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter

Added by bmbouter over 8 years ago

Revision ddc4579f | View on GitHub

Adds verify_ssl as an option to pic.common.connect()

closes #1228 https://pulp.plan.io/issues/1228

Added by bmbouter over 8 years ago

Revision ddc4579f | View on GitHub

Adds verify_ssl as an option to pic.common.connect()

closes #1228 https://pulp.plan.io/issues/1228

Actions #2

Updated by bmbouter over 8 years ago

  • Status changed from ASSIGNED to POST
  • Tags Easy Fix added
Actions #3

Updated by bmbouter over 8 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #4

Updated by rbarlow over 8 years ago

IMO, we should close this bug by deleting PIC. The tool doesn't work
very well in other ways, and there are a few existing tools that do what
it's supposed to do much better. For example:

https://github.com/jkbrzt/httpie

Actions #5

Updated by bmbouter over 8 years ago

It's already merged, but I'm ok with deleting pic. I'd like to hear input from some others on this idea. Maybe we could write a docs statement saying that you can use httpie to interact with the API since Pulp would no longer be offering pic? This was users who don't do much with APIs will have an idea of what to do.

Actions #6

Updated by mhrivnak over 8 years ago

  • Triaged changed from No to Yes
Actions #7

Updated by bmbouter over 8 years ago

  • Platform Release set to master
Actions #8

Updated by mhrivnak over 8 years ago

  • Platform Release changed from master to 2.8.0
Actions #9

Updated by dkliban@redhat.com about 8 years ago

  • Status changed from MODIFIED to 5
Actions #10

Updated by dkliban@redhat.com almost 8 years ago

  • Status changed from 5 to CLOSED - CURRENTRELEASE
Actions #11

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF