← Back to team overview

touch-packages team mailing list archive

[Bug 1500768] Re: python3.4.3 SRU break requests

 

PEP 476 <https://www.python.org/dev/peps/pep-0476/> is the impetus for
this, and issue 22417 is the implementation
<https://bugs.python.org/issue22417>

The PEP says this <https://www.python.org/dev/peps/pep-0476/#id28>:

"This change will have the appearance of causing some HTTPS connections
to "break", because they will now raise an Exception during handshake.

This is misleading however, in fact these connections are presently
failing silently, an HTTPS URL indicates an expectation of
confidentiality and authentication. The fact that Python does not
actually verify that the user's request has been made is a bug, further:
"Errors should never pass silently."

Nevertheless, users who have a need to access servers with self-signed
or incorrect certificates would be able to do so by providing a context
with custom trust roots or which disables validation (documentation
should strongly recommend the former where possible). Users will also be
able to add necessary certificates to system trust stores in order to
trust them globally.

Twisted's 14.0 release made this same change, and it has been met with
almost no opposition."

So the immediate question I have is, you say you're running the tests
with verify=True and you're getting new failures.  If that's the case,
then since you've apparently always been verifying certificates, the
change to make verification by default shouldn't affect you.  But you're
saying it has affected you and other packages too, is that right?

You say you ran a test with the backport of requests 2.7, but you don't
mention what the outcome of that test was.

If you install the monkey patch to restore the old behavior according to
the PEP, does that fix the problem for you?

I'm also curious because I ran the system-image tests in a trusty chroot
and haven't seen any problems.  It does a lot of self-signed certificate
checks, including ensuring that bad certificates are rejected.  It
doesn't use requests though.


** Bug watch added: Python Roundup #22417
   http://bugs.python.org/issue22417

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python3.4 in Ubuntu.
https://bugs.launchpad.net/bugs/1500768

Title:
  python3.4.3 SRU break requests

Status in python3.4 package in Ubuntu:
  Confirmed

Bug description:
  Sicne the upgade to python 3.4.3 on trusty, I'm getting this error when using a squid proxy:
  https://jenkins.qa.ubuntu.com/view/All/job/udtc-trusty-tests/1946/label=ps-trusty-desktop-amd64-1,type=large/testReport/tests.large.test_android/AndroidSDKTests/test_default_android_sdk_install/

  The code is using python-requests, with verify=True for ssl connection
  (default). Some tests are testing that invalid certificates are
  rejected:  https://github.com/ubuntu/ubuntu-
  make/blob/master/umake/network/download_center.py#L129

  Rerunning the same code with previous trusty package (3.4.0~trusty1)
  doesn't show up this issue. It seems that SNI is broken for the trusty
  version of python3-requests with 3.4.3. (See the FAQ http://www
  .python-requests.org/en/latest/community/faq/ with "What are “hostname
  doesn’t match” errors?" and the stackoverflow question.

  I did run a test, grabbing requests 2.7 and backporting it to trusty
  (I needed to as well to take python3-urllib3 willy version).

  So, 3.4.3 has an incompatible change for existing projects and people
  with proxys are starting to see some breakage like in
  https://bugs.launchpad.net/ubuntu/+source/ubuntu-make/+bug/1499890.

  Can we get it fix somehow, reverting the incompatible change breaking
  SNI (I wonder if this is "Changed in version 3.4.3: This class now
  performs all the necessary certificate and hostname checks by default.
  To revert to the previous, unverified, behavior
  ssl._create_unverified_context() can be passed to the context
  parameter." in https://docs.python.org/3/library/http.client.html or
  something else) so that existing code can either get a new compatible
  python-requests or avoid incompatible changes in python 3.4.3?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.4/+bug/1500768/+subscriptions


References