Public bug reported: [Impact]
* If and when openssl and python are upgraded with TLS 1.3 support, httplib2 as shipped in bionic will fail to establish TLS connections, due to failure to send hostname for SNI verification. [Test Case] * Sample script that currently passes in bionic, but fails if one force upgrades to a newer python2.7 built with openssl 1.1.1 * Install the new openssl & python on bionic with: echo 'deb [trusted=yes] http://ppa.launchpad.net/ci-train-ppa-service/3540/ubuntu bionic main ' > /etc/apt/sources.list.d/xnox.list apt update apt install -y python2.7 apt download python-httplib2 dpkg-deb -x ./python-httplib2_0.9.2+dfsg-1_all.deb / * Launch python interpreter and try to open a https url $ python import httplib2 h = httplib2.Http(ca_certs='/etc/ssl/certs/ca-certificates.crt') h.request("https://www.google.com";) Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1608, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1350, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in _conn_request conn.connect() File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1058, in connect raise SSLHandshakeError(e) httplib2.SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) * Instead of assertion being raised, the url should be retrieved successfully with page contents returned. [Regression Potential] * Upstream patch is used, which is well-tested and used in cosmic/disco and uses python standard library ssl facilities which have been provided since 2.7.9 (xenial+). In terms of connectivity correct SNI usage will not result in connectivity failures. [Other Info] * Upstream fix https://github.com/httplib2/httplib2/pull/13/files ** Affects: python-httplib2 (Ubuntu) Importance: Undecided Status: Fix Released ** Affects: python-httplib2 (Ubuntu Bionic) Importance: Undecided Status: Confirmed ** Affects: python-httplib2 (Debian) Importance: Unknown Status: Unknown ** Also affects: python-httplib2 (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: python-httplib2 (Ubuntu) Status: New => Fix Released ** Changed in: python-httplib2 (Ubuntu Bionic) Status: New => Confirmed ** Bug watch added: Debian Bug tracker #907278 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907278 ** Also affects: python-httplib2 (Debian) via https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907278 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1805807 Title: python-httplib2 is not compatible with TLS 1.3 based python/ssl To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1805807/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
