Source: python-urllib3
Version: 1.26.17-1
Severity: normal
X-Debbugs-Cc: jdstr...@ubuntu.com, secur...@ubuntu.com
Hi,
In the process of packaging a library, I ran into a test failure caused
by urllib3's 02_require-cert-verification.patch
It looks like this patch is no longer required, but given the security
implications, I'm not just going to commit to git, but rather ask for
input.
Several relevant changes were made in urllib3 since the authoring of
this patch:
1. urllib3.contrib.pyopenssl now uses the operating system's default CA
certificates on inject.
https://github.com/urllib3/urllib3/pull/332
2. When ca_certs is given, cert_reqs defaults to 'CERT_REQUIRED'.
https://github.com/urllib3/urllib3/pull/650
With unpatched upstream urllib3 1.26.18 (not even 2.x):
>>> import urllib3
>>> http = urllib3.PoolManager()
>>> http.request("GET", "https://expired.badssl.com/;)
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate
verify failed: certificate has expired (_ssl.c:1006)
>>> http.request("GET", "https://wrong.host.badssl.com/;)
urllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='wrong.host.badssl.com', port=443): Max retries
exceeded with url: / (Caused by SSLError(CertificateError("hostname
'wrong.host.badssl.com' doesn't match either of '*.badssl.com', 'badssl.com'")))
>>> http.request("GET", "https://untrusted-root.badssl.com/;)
urllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='untrusted-root.badssl.com', port=443): Max retries
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate
in certificate chain (_ssl.c:1006)')))
>>> http.request("GET", "https://self-signed.badssl.com/;)
urllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='self-signed.badssl.com', port=443): Max retries
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate
(_ssl.c:1006)')))
>>> http.request("GET", "https://revoked.badssl.com/;)
urllib3.exceptions.MaxRetryError:
HTTPSConnectionPool(host='revoked.badssl.com', port=443): Max retries exceeded
with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired
(_ssl.c:1006)')))
How do you feel about dropping it?
Stefano