Issue #1228
closedpic cannot work with self-signed certs on f22+
Description
In 2.7.9+ the default SSL verification behavior switched to start validating SSL certs which stops self-signed certs from being trusted. This was done through PIP 476. I was told in #python on Fedora that the default switch occurred in Python 2.7.9+. Fedora 22 is the first OS affected by this bug since it carries 2.7.10. Fedora 21 carries 2.7.8.
When I try to use pic from a Fedora 22 machine to access a Pulp installation with self-signed certificates I cannot use pic. When I make a request I receive the following traceback:
Traceback (most recent call last):
File "<stdin>", line 5, in <module>
File "/home/bmbouter/Documents/pulp/common/pulp/common/pic.py", line 113, in POST
return _request('POST', path, body)
File "/home/bmbouter/Documents/pulp/common/pulp/common/pic.py", line 80, in _request
headers=_auth_header())
File "/usr/lib64/python2.7/httplib.py", line 1053, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1093, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1049, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 893, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 855, in send
self.connect()
File "/usr/lib64/python2.7/httplib.py", line 1274, in connect
server_hostname=server_hostname)
File "/usr/lib64/python2.7/ssl.py", line 352, in wrap_socket
_context=self)
File "/usr/lib64/python2.7/ssl.py", line 579, in __init__
self.do_handshake()
File "/usr/lib64/python2.7/ssl.py", line 808, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
I'll suggest the way to fix this is to introduce an option to connect() called verify_ssl which will default to True. I expect to receive no tracebacks when I call connect() like:
pic.connect(verify_ssl=False)
Updated by bmbouter over 8 years ago
- Status changed from NEW to ASSIGNED
- Assignee set to bmbouter
Added by bmbouter over 8 years ago
Added by bmbouter over 8 years ago
Revision ddc4579f | View on GitHub
Adds verify_ssl as an option to pic.common.connect()
Updated by bmbouter over 8 years ago
- Status changed from ASSIGNED to POST
- Tags Easy Fix added
PR available at: https://github.com/pulp/pulp/pull/2022
Updated by bmbouter over 8 years ago
- Status changed from POST to MODIFIED
- % Done changed from 0 to 100
Applied in changeset pulp|ddc4579f3b098985ebf76787d57f1764f0abde8a.
Updated by rbarlow over 8 years ago
IMO, we should close this bug by deleting PIC. The tool doesn't work
very well in other ways, and there are a few existing tools that do what
it's supposed to do much better. For example:
Updated by bmbouter over 8 years ago
It's already merged, but I'm ok with deleting pic. I'd like to hear input from some others on this idea. Maybe we could write a docs statement saying that you can use httpie to interact with the API since Pulp would no longer be offering pic? This was users who don't do much with APIs will have an idea of what to do.
Updated by mhrivnak over 8 years ago
- Platform Release changed from master to 2.8.0
Updated by dkliban@redhat.com about 8 years ago
- Status changed from MODIFIED to 5
Updated by dkliban@redhat.com almost 8 years ago
- Status changed from 5 to CLOSED - CURRENTRELEASE
Adds verify_ssl as an option to pic.common.connect()
closes #1228 https://pulp.plan.io/issues/1228