yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1404390] [NEW] Python 2.7.9 breaks nova.tests.unit.test_wsgi.TestWSGIServerWithSSL.test_app_using_ipv6_and_ssl

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Corey Wright <corey.wright@xxxxxxxxxxxxx>
Date: Fri, 19 Dec 2014 21:53:07 -0000
Reply-to: Bug 1404390 <1404390@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

nova git version is 2014.2-1545-gd442187 (ie master as of now).

Python 2.7.9, with its securing the network by default (PEP 466), causes
the test to fail:

    URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:581)>

if i pass the test ca file through urlopen(), for academic purposes as
it's not backwards compatible, i find that the server cert is ipv4 only:

    CertificateError: hostname '::1' doesn't match u'0.0.0.0'

a new certificate is needed, but only the ca's public cert is provided,
so the old ca is useless for signing a new ipv4 & ipv6 certificate.

if i create a new ca and a new certificate and switch to the responses
python package (to enable ssl verification and full 2.7.x
compatibility), then everything works and i have
https://review.openstack.org/143072.

** Affects: nova
     Importance: Undecided
         Status: New


** Tags: 2.7.9 ipv6 python ssl testing wsgi

** Attachment added: "certificate verify failed traceback"
   https://bugs.launchpad.net/bugs/1404390/+attachment/4284395/+files/certificate_verify_failed.txt

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1404390

Title:
  Python 2.7.9 breaks
  nova.tests.unit.test_wsgi.TestWSGIServerWithSSL.test_app_using_ipv6_and_ssl

Status in OpenStack Compute (Nova):
  New

Bug description:
  nova git version is 2014.2-1545-gd442187 (ie master as of now).

  Python 2.7.9, with its securing the network by default (PEP 466),
  causes the test to fail:

      URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED]
  certificate verify failed (_ssl.c:581)>

  if i pass the test ca file through urlopen(), for academic purposes as
  it's not backwards compatible, i find that the server cert is ipv4
  only:

      CertificateError: hostname '::1' doesn't match u'0.0.0.0'

  a new certificate is needed, but only the ca's public cert is
  provided, so the old ca is useless for signing a new ipv4 & ipv6
  certificate.

  if i create a new ca and a new certificate and switch to the responses
  python package (to enable ssl verification and full 2.7.x
  compatibility), then everything works and i have
  https://review.openstack.org/143072.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1404390/+subscriptions

Follow ups

[Bug 1404390] Re: Python 2.7.9 breaks nova.tests.unit.test_wsgi.TestWSGIServerWithSSL.test_app_using_ipv6_and_ssl
From: Thierry Carrez, 2015-02-05
[Bug 1404390] [NEW] Python 2.7.9 breaks nova.tests.unit.test_wsgi.TestWSGIServerWithSSL.test_app_using_ipv6_and_ssl
From: Corey Wright, 2014-12-19

References

[Bug 1404390] [NEW] Python 2.7.9 breaks nova.tests.unit.test_wsgi.TestWSGIServerWithSSL.test_app_using_ipv6_and_ssl
From: Corey Wright, 2014-12-19