← Back to team overview

sts-sponsors team mailing list archive

  1. sts-sponsors team
  2. Mailing list archive
  3. Message #02632

[Bug 1820083] Re: TLS params not set for session

  Thread PreviousDate PreviousThread Next 
** Description changed:

  [Impact]
  
  A connection session is opened, but the TLS parameters (timeout, ca,
  cert and key) are not actually set for the session.  This prevents use
  of TLS.
  
- [Test Case]
+ [Test Plan]
  
  # Create self signed certs
  
  openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
  *make sure the key has an empty password
  
  #download binaries & launch etcd locally with TLS enabled
  cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
  sudo mv etcd etcdctl /usr/bin/
  cd ~ rm -rf etcd-v3.3.14-linux-amd64*
  *note I named my directory infra0
  
  etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-
  file=localhost.key --advertise-client-urls=https://127.0.0.1:2379
  --listen-client-urls=https://127.0.0.1:2379
  
  test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
  Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
  ```
  def test_client_tls(self):
  
  client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
  response = client.get("/health") print(response)
  ```
  Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
  
  [Where Problems Could Occur]
  
  This adds TLS parameters (if provided) to the session, so regressions
  would involve failed connections, possibly those without TLS that had
  TLS params incorrectly provided before.
  
  [Other]
  
  the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
  fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
  via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
  
  that commit is contained in version 0.2.2, which is not yet pulled into
  Debian, so this patch is needed in Debian, as well as Bionicand Focal.
  This package was not included in Xenial.

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1820083

Title:
  TLS params not set for session

Status in python-etcd3gw package in Ubuntu:
  Fix Released
Status in python-etcd3gw source package in Bionic:
  In Progress
Status in python-etcd3gw source package in Cosmic:
  Won't Fix
Status in python-etcd3gw source package in Disco:
  Won't Fix
Status in python-etcd3gw source package in Eoan:
  Won't Fix
Status in python-etcd3gw source package in Focal:
  In Progress
Status in python-etcd3gw source package in Groovy:
  In Progress
Status in python-etcd3gw source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

  A connection session is opened, but the TLS parameters (timeout, ca,
  cert and key) are not actually set for the session.  This prevents use
  of TLS.

  [Test Plan]

  # Create self signed certs

  openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
  *make sure the key has an empty password

  #download binaries & launch etcd locally with TLS enabled
  cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
  sudo mv etcd etcdctl /usr/bin/
  cd ~ rm -rf etcd-v3.3.14-linux-amd64*
  *note I named my directory infra0

  etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-
  file=localhost.key --advertise-client-urls=https://127.0.0.1:2379
  --listen-client-urls=https://127.0.0.1:2379

  test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
  Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
  ```
  def test_client_tls(self):

  client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
  response = client.get("/health") print(response)
  ```
  Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")

  [Where Problems Could Occur]

  This adds TLS parameters (if provided) to the session, so regressions
  would involve failed connections, possibly those without TLS that had
  TLS params incorrectly provided before.

  [Other]

  the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
  fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
  via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0

  that commit is contained in version 0.2.2, which is not yet pulled
  into Debian, so this patch is needed in Debian, as well as Bionicand
  Focal.  This package was not included in Xenial.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions
  Thread PreviousDate PreviousThread Next