Control: tags 909545 + patch
Control: tags 909545 + pending
Dear maintainer,
I've prepared an NMU for python-boto (versioned as 2.44.0-1.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.
Regards.
Sebastian
diff -u python-boto-2.44.0/debian/changelog python-boto-2.44.0/debian/changelog
--- python-boto-2.44.0/debian/changelog
+++ python-boto-2.44.0/debian/changelog
@@ -1,3 +1,10 @@
+python-boto (2.44.0-1.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Add SNI support. Thanks to Witold Baryluk for testing (Closes: #909545).
+
+ -- Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Sun, 04 Nov 2018 12:37:23 +0100
+
python-boto (2.44.0-1) unstable; urgency=medium
* New upstream release.
only in patch2:
unchanged:
--- python-boto-2.44.0.orig/boto/connection.py
+++ python-boto-2.44.0/boto/connection.py
@@ -821,23 +821,24 @@
h = http_client.HTTPConnection(host)
if self.https_validate_certificates and HAVE_HTTPS_CONNECTION:
+ context = ssl.create_default_context()
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.check_hostname = True
+
msg = "wrapping ssl socket for proxied connection; "
if self.ca_certificates_file:
msg += "CA certificate file=%s" % self.ca_certificates_file
+ context.load_verify_locations(cafile=self.ca_certificates_file)
else:
msg += "using system provided SSL certs"
+ context.load_default_certs()
boto.log.debug(msg)
key_file = self.http_connection_kwargs.get('key_file', None)
cert_file = self.http_connection_kwargs.get('cert_file', None)
- sslSock = ssl.wrap_socket(sock, keyfile=key_file,
- certfile=cert_file,
- cert_reqs=ssl.CERT_REQUIRED,
- ca_certs=self.ca_certificates_file)
- cert = sslSock.getpeercert()
- hostname = self.host.split(':', 0)[0]
- if not https_connection.ValidateCertificateHostname(cert, hostname):
- raise https_connection.InvalidCertificateException(
- hostname, cert, 'hostname mismatch')
+ if key_file:
+ context.load_cert_chain(certfile=cert_file, keyfile=key_file)
+
+ sslSock = context.wrap_socket(sock, server_hostname=host)
else:
# Fallback for old Python without ssl.wrap_socket
if hasattr(http_client, 'ssl'):
only in patch2:
unchanged:
--- python-boto-2.44.0.orig/boto/https_connection.py
+++ python-boto-2.44.0/boto/https_connection.py
@@ -119,20 +119,20 @@
sock = socket.create_connection((self.host, self.port), self.timeout)
else:
sock = socket.create_connection((self.host, self.port))
+
+ context = ssl.create_default_context()
+ context.verify_mode = ssl.CERT_REQUIRED
+ context.check_hostname = True
+ if self.key_file:
+ context.load_cert_chain(certfile=self.cert_file, keyfile=self.key_file)
+
msg = "wrapping ssl socket; "
if self.ca_certs:
msg += "CA certificate file=%s" % self.ca_certs
+ context.load_verify_locations(cafile=self.ca_certs)
else:
msg += "using system provided SSL certs"
+ context.load_default_certs()
boto.log.debug(msg)
- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
- certfile=self.cert_file,
- cert_reqs=ssl.CERT_REQUIRED,
- ca_certs=self.ca_certs)
- cert = self.sock.getpeercert()
- hostname = self.host.split(':', 0)[0]
- if not ValidateCertificateHostname(cert, hostname):
- raise InvalidCertificateException(hostname,
- cert,
- 'remote hostname "%s" does not match '
- 'certificate' % hostname)
+
+ self.sock = context.wrap_socket(sock, server_hostname=self.host)
only in patch2:
unchanged:
--- python-boto-2.44.0.orig/debian/patches-for-reference/boto-try-to-add-SNI-support-v2.patch
+++ python-boto-2.44.0/debian/patches-for-reference/boto-try-to-add-SNI-support-v2.patch
@@ -0,0 +1,92 @@
+From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+Date: Sat, 29 Sep 2018 21:47:11 +0200
+Subject: [PATCH] boto: try to add SNI support
+
+Add SNI support. Newer OpenSSL (with TLS1.3) fail to connect if the
+hostname is missing.
+
+Link: https://bugs.debian.org/909545
+Tested-by: Witold Baryluk <witold.bary...@gmail.com>
+Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
+---
+ boto/connection.py | 19 ++++++++++---------
+ boto/https_connection.py | 22 +++++++++++-----------
+ 2 files changed, 21 insertions(+), 20 deletions(-)
+
+diff --git a/boto/connection.py b/boto/connection.py
+index 34b428f101df7..b4867a7657465 100644
+--- a/boto/connection.py
++++ b/boto/connection.py
+@@ -824,23 +824,24 @@ DEFAULT_CA_CERTS_FILE = os.path.join(os.path.dirname(os.path.abspath(boto.cacert
+ h = http_client.HTTPConnection(host)
+
+ if self.https_validate_certificates and HAVE_HTTPS_CONNECTION:
++ context = ssl.create_default_context()
++ context.verify_mode = ssl.CERT_REQUIRED
++ context.check_hostname = True
++
+ msg = "wrapping ssl socket for proxied connection; "
+ if self.ca_certificates_file:
+ msg += "CA certificate file=%s" % self.ca_certificates_file
++ context.load_verify_locations(cafile=self.ca_certificates_file)
+ else:
+ msg += "using system provided SSL certs"
++ context.load_default_certs()
+ boto.log.debug(msg)
+ key_file = self.http_connection_kwargs.get('key_file', None)
+ cert_file = self.http_connection_kwargs.get('cert_file', None)
+- sslSock = ssl.wrap_socket(sock, keyfile=key_file,
+- certfile=cert_file,
+- cert_reqs=ssl.CERT_REQUIRED,
+- ca_certs=self.ca_certificates_file)
+- cert = sslSock.getpeercert()
+- hostname = self.host.split(':', 0)[0]
+- if not https_connection.ValidateCertificateHostname(cert, hostname):
+- raise https_connection.InvalidCertificateException(
+- hostname, cert, 'hostname mismatch')
++ if key_file:
++ context.load_cert_chain(certfile=cert_file, keyfile=key_file)
++
++ sslSock = context.wrap_socket(sock, server_hostname=host)
+ else:
+ # Fallback for old Python without ssl.wrap_socket
+ if hasattr(http_client, 'ssl'):
+diff --git a/boto/https_connection.py b/boto/https_connection.py
+index ddc31a152292e..a5076f6f9b261 100644
+--- a/boto/https_connection.py
++++ b/boto/https_connection.py
+@@ -119,20 +119,20 @@ from boto.compat import six, http_client
+ sock = socket.create_connection((self.host, self.port), self.timeout)
+ else:
+ sock = socket.create_connection((self.host, self.port))
++
++ context = ssl.create_default_context()
++ context.verify_mode = ssl.CERT_REQUIRED
++ context.check_hostname = True
++ if self.key_file:
++ context.load_cert_chain(certfile=self.cert_file, keyfile=self.key_file)
++
+ msg = "wrapping ssl socket; "
+ if self.ca_certs:
+ msg += "CA certificate file=%s" % self.ca_certs
++ context.load_verify_locations(cafile=self.ca_certs)
+ else:
+ msg += "using system provided SSL certs"
++ context.load_default_certs()
+ boto.log.debug(msg)
+- self.sock = ssl.wrap_socket(sock, keyfile=self.key_file,
+- certfile=self.cert_file,
+- cert_reqs=ssl.CERT_REQUIRED,
+- ca_certs=self.ca_certs)
+- cert = self.sock.getpeercert()
+- hostname = self.host.split(':', 0)[0]
+- if not ValidateCertificateHostname(cert, hostname):
+- raise InvalidCertificateException(hostname,
+- cert,
+- 'remote hostname "%s" does not match '
+- 'certificate' % hostname)
++
++ self.sock = context.wrap_socket(sock, server_hostname=self.host)
+--
+2.19.0
+
