Project

Profile

Help

Issue #1228

closed

pic cannot work with self-signed certs on f22+

Added by bmbouter over 8 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
2.8.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Easy Fix, Pulp 2
Sprint:
Quarter:

Description

In 2.7.9+ the default SSL verification behavior switched to start validating SSL certs which stops self-signed certs from being trusted. This was done through PIP 476. I was told in #python on Fedora that the default switch occurred in Python 2.7.9+. Fedora 22 is the first OS affected by this bug since it carries 2.7.10. Fedora 21 carries 2.7.8.

When I try to use pic from a Fedora 22 machine to access a Pulp installation with self-signed certificates I cannot use pic. When I make a request I receive the following traceback:

Traceback (most recent call last):
  File "<stdin>", line 5, in <module>
  File "/home/bmbouter/Documents/pulp/common/pulp/common/pic.py", line 113, in POST
    return _request('POST', path, body)
  File "/home/bmbouter/Documents/pulp/common/pulp/common/pic.py", line 80, in _request
    headers=_auth_header())
  File "/usr/lib64/python2.7/httplib.py", line 1053, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python2.7/httplib.py", line 1093, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python2.7/httplib.py", line 1049, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python2.7/httplib.py", line 893, in _send_output
    self.send(msg)
  File "/usr/lib64/python2.7/httplib.py", line 855, in send
    self.connect()
  File "/usr/lib64/python2.7/httplib.py", line 1274, in connect
    server_hostname=server_hostname)
  File "/usr/lib64/python2.7/ssl.py", line 352, in wrap_socket
    _context=self)
  File "/usr/lib64/python2.7/ssl.py", line 579, in __init__
    self.do_handshake()
  File "/usr/lib64/python2.7/ssl.py", line 808, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

I'll suggest the way to fix this is to introduce an option to connect() called verify_ssl which will default to True. I expect to receive no tracebacks when I call connect() like:

pic.connect(verify_ssl=False)

Also available in: Atom PDF