Bug#1054212: python-urllib3: Drop 02_require-cert-verification.patch (no longer needed)

2023-10-21 Thread Daniele Tricoli 

Hello Stefano,
thanks for bringing this out!

On 19/10/2023 12:31, Stefano Rivera wrote:

In the process of packaging a library, I ran into a test failure caused
by urllib3's 02_require-cert-verification.patch

It looks like this patch is no longer required, but given the security
implications, I'm not just going to commit to git, but rather ask for
input.



[CUT analysis]

I was wandering the same but, as you said, given the security 
implications I refrained to drop it since I thought there were no 
implication on having it. Since it's causing failures it make sense to 
drop it.



How do you feel about dropping it?


Please go ahead, thanks!

Cheers,

--
Daniele Tricoli
https://mornie.org

Bug#1054212: python-urllib3: Drop 02_require-cert-verification.patch (no longer needed)

2023-10-19 Thread Stefano Rivera 
Source: python-urllib3
Version: 1.26.17-1
Severity: normal
X-Debbugs-Cc: jdstr...@ubuntu.com, secur...@ubuntu.com

Hi,

In the process of packaging a library, I ran into a test failure caused
by urllib3's 02_require-cert-verification.patch

It looks like this patch is no longer required, but given the security
implications, I'm not just going to commit to git, but rather ask for
input.

Several relevant changes were made in urllib3 since the authoring of
this patch:
1. urllib3.contrib.pyopenssl now uses the operating system's default CA
   certificates on inject.
   https://github.com/urllib3/urllib3/pull/332
2. When ca_certs is given, cert_reqs defaults to 'CERT_REQUIRED'.
   https://github.com/urllib3/urllib3/pull/650

With unpatched upstream urllib3 1.26.18 (not even 2.x):

>>> import urllib3
>>> http = urllib3.PoolManager()
>>> http.request("GET", "https://expired.badssl.com/;)
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: certificate has expired (_ssl.c:1006)
>>> http.request("GET", "https://wrong.host.badssl.com/;)
urllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host='wrong.host.badssl.com', port=443): Max retries 
exceeded with url: / (Caused by SSLError(CertificateError("hostname 
'wrong.host.badssl.com' doesn't match either of '*.badssl.com', 'badssl.com'")))
>>> http.request("GET", "https://untrusted-root.badssl.com/;)
urllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host='untrusted-root.badssl.com', port=443): Max retries 
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate 
in certificate chain (_ssl.c:1006)')))
>>> http.request("GET", "https://self-signed.badssl.com/;)
urllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host='self-signed.badssl.com', port=443): Max retries 
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate 
(_ssl.c:1006)')))
>>> http.request("GET", "https://revoked.badssl.com/;)
urllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host='revoked.badssl.com', port=443): Max retries exceeded 
with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired 
(_ssl.c:1006)')))

How do you feel about dropping it?

Stefano