Actions
Issue #1228
closedpic cannot work with self-signed certs on f22+
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Easy Fix, Pulp 2
Sprint:
Quarter:
Description
In 2.7.9+ the default SSL verification behavior switched to start validating SSL certs which stops self-signed certs from being trusted. This was done through PIP 476. I was told in #python on Fedora that the default switch occurred in Python 2.7.9+. Fedora 22 is the first OS affected by this bug since it carries 2.7.10. Fedora 21 carries 2.7.8.
When I try to use pic from a Fedora 22 machine to access a Pulp installation with self-signed certificates I cannot use pic. When I make a request I receive the following traceback:
Traceback (most recent call last):
File "<stdin>", line 5, in <module>
File "/home/bmbouter/Documents/pulp/common/pulp/common/pic.py", line 113, in POST
return _request('POST', path, body)
File "/home/bmbouter/Documents/pulp/common/pulp/common/pic.py", line 80, in _request
headers=_auth_header())
File "/usr/lib64/python2.7/httplib.py", line 1053, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python2.7/httplib.py", line 1093, in _send_request
self.endheaders(body)
File "/usr/lib64/python2.7/httplib.py", line 1049, in endheaders
self._send_output(message_body)
File "/usr/lib64/python2.7/httplib.py", line 893, in _send_output
self.send(msg)
File "/usr/lib64/python2.7/httplib.py", line 855, in send
self.connect()
File "/usr/lib64/python2.7/httplib.py", line 1274, in connect
server_hostname=server_hostname)
File "/usr/lib64/python2.7/ssl.py", line 352, in wrap_socket
_context=self)
File "/usr/lib64/python2.7/ssl.py", line 579, in __init__
self.do_handshake()
File "/usr/lib64/python2.7/ssl.py", line 808, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
I'll suggest the way to fix this is to introduce an option to connect() called verify_ssl which will default to True. I expect to receive no tracebacks when I call connect() like:
pic.connect(verify_ssl=False)
Actions
Adds verify_ssl as an option to pic.common.connect()
closes #1228 https://pulp.plan.io/issues/1228