[Bug 1820083] Re: TLS params not set for session
This bug was fixed in the package python-etcd3gw - 0.2.1-1ubuntu0.18.04.1 --- python-etcd3gw (0.2.1-1ubuntu0.18.04.1) bionic; urgency=medium * d/p/lp1820083-set-transport-options-on-requests-session.patch - Sets TLS parameters for session (LP: #1820083) * d/p/0001-lp1900617-When-gateway-sends-failure-response-include-text-in.patch - Include response text in raised exception d/p/0002-lp1900617-Include-resp.text-as-detail-in-all-etcd-exceptions.patch - Add new unit test for return exception d/p/0003-lp1900617-Fix-exception-signature.patch - Derived exceptions can use arguments again (LP: #1900617) -- Heather Lemon Wed, 27 Oct 2021 15:59:44 + ** Changed in: python-etcd3gw (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
This bug was fixed in the package python-etcd3gw - 0.2.1-3ubuntu1.20.04.1 --- python-etcd3gw (0.2.1-3ubuntu1.20.04.1) focal; urgency=medium * d/p/lp1820083-Set-transport-options-on-requests-session.patch - Sets TLS parameters for session (LP: #1820083) * d/p/0001-lp1900617-When-gateway-sends-failure-response-include-text-in-.patch - Include response text in raised exception d/p/0002-lp1900617-Include-resp.text-as-detail-in-all-etcd-exceptions.patch - Add new unit test for return exception d/p/0003-lp1900617-Fix-exception-signature.patch - Derived exceptions can use arguments again (LP: #1900617) -- Heather Lemon Mon, 07 Dec 2020 12:21:25 -0700 ** Changed in: python-etcd3gw (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
TEST CASE: 1. use focal series lxc container 2. Enable proposed repo in /etc/apt/sources.list 3. deb http://archive.ubuntu.com/ubuntu focal-proposed main universe 4. sudo apt-get update 5. apt install etcd-client 6. apt-get install python3-etcd3gw#Focal has renamed this package with python3-etcd3gw 7. wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz 8. tar -xvf etcd-v3.3.13-linux-amd64.tar.gz 9. openssl req -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt 10. ./etcd --name infra0 --data-dir infra0 --cert-file=/root/python-etcd3gw-0.2.1/localhost.crt --key-file=/root/python-etcd3gw-0.2.1/localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 11. curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health response - {"health":"true"} 12. etcdctl --endpoints https://127.0.0.1:2379 --ca-file=localhost.crt --cert-file=localhost.crt --key-file=localhost.key member list response = 8e9e05c52164694d: name=infra0 peerURLs=http://localhost:2380 clientURLs=https://127.0.0.1:2379 isLeader=true 13. etcdctl --endpoints https://127.0.0.1:2379 --ca-file=localhost.crt --cert-file=localhost.crt --key-file=localhost.key set foo bar response - bar VERIFICATION DONE you can connect to the etcd server with certificate information provided TROUBLESHOOTING ** See above troubleshooting steps -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Thanks, Heather. Don't forget to do the verification for the other bug as well (LP: #1900617) - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
TEST CASE: 1. Use Bionic series lxc container 2. Enable proposed repo in /etc/apt/sources.list 3. deb http://archive.ubuntu.com/ubuntu bionic-proposed main universe 4. sudo apt-get update 5. apt-get install python-etcd3gw=0.2.1-1ubuntu0.18.04.1 6. openssl req -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt 7. ./etcd --name infra0 --data-dir infra0 --cert-file=/root/python-etcd3gw-0.2.1/localhost.crt --key-file=/root/python-etcd3gw-0.2.1/localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 8. apt-get install etcd-client 9. etcdctl --endpoints https://127.0.0.1:2379 --ca-file=localhost.crt --cert-file=localhost.crt --key-file=localhost.key member list 10. response - 8e9e05c52164694d: name=infra0 peerURLs=http://localhost:2380 clientURLs=https://127.0.0.1:2379 isLeader=true 11. extra testing - attempt to connect without certs gives Error: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:4001: connect: connection refused ; error #1: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02" 12. etcdctl --endpoints https://127.0.0.1:2379 --ca-file=localhost.crt --cert-file=localhost.crt --key-file=localhost.key set foo bar 13. etcdctl --endpoints https://127.0.0.1:2379 --ca-file=localhost.crt --cert-file=localhost.crt --key-file=localhost.key get foo response = bar VERIFICATION DONE you can connect to the etcd server with certificate infomation provided 8e9e05c52164694d: name=infra0 peerURLs=http://localhost:2380 clientURLs=https://127.0.0.1:2379 isLeader=true Troubleshooting 1. if you have this error 140647060033984:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd # comment out the RANDFILE at the top of /etc/ssl/openssl.cnf RANDFILE = $ENV::HOME/.rnd 2. If you have this error client: etcd cluster is unavailable or misconfigured; error #0: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs # under /etc/ssl/openssl.cnf add your IP for your cert [ v3_ca ] subjectAltName = IP:127.0.0.1 # also note, you can update ca-certificates cp localhost.crt /usr/share/ca-certificates/ sudo update-ca-certificates sudo dpkg-reconfigure ca-certificates 3. Try rebooting openssl service after making changes or container 4. make sure etcd is running Error: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:2379: connect: connection refused error #0: dial tcp 127.0.0.1:2379: connect: connection refused -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Is there a way you can verify the actual binary package ? Instead of testing it by pulling the source code ? Verification need to be done on the binary package, this is what we will promote in -updates. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Commenting out the __init__.py inside line 25/26. where it checks the version with PBR #__version__ = pbr.version.VersionInfo( #'etcd3gw').version_string() commenting this line out and running ./test.py my response is success. # testing steps for bionic version - 0.2.1-1ubuntu0.18.04.1 python3 version - 3.6.9 python2 version - 2.7.17 mkdir 1820083-verification-testing cd 1820083-verification-testing pull-lp-source python-etcd3gw bionic apt install python3-pip pip3 install -r requirements.txt pip3 install -r test-requirements.txt # generate certs in python-etcd3gw folder openssl req -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt #download etcd binaries & launch etcd locally with TLS enabled wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ #spin up etcd server ./etcd --name infra0 --data-dir infra0 --cert-file=/python-etcd3gw/localhost.crt --key-file=/python-etcd3gw/localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 # test cert connection endpoint curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health response {"health":"true"} modify test.py to your config setup for etcd #run test ./test.py response success! # code for test.py touch test.py chmod +rwx test.py gedit test.py #!/usr/bin/python3 from etcd3gw import Etcd3Client c = Etcd3Client(host="127.0.0.1", protocol="https", cert_key="localhost.key", cert_cert="localhost.crt", ca_cert="localhost.crt", timeout=10) c.put('test', 'success!') resp = c.get('test') print(b''.join(resp).decode()) #also feel free to run unit tests with python3 -m unittest ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
I am getting a PBR error when testing this with bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
#testing steps for python-etcd3gw focal version tested - python-etcd3gw 0.2.1-3ubuntu1.20.04.1 pull-lp-source python-etcd3gw focal # generate certs in python-etcd3gw folder openssl req -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt #download etcd binaries & launch etcd locally with TLS enabled wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ #spin up etcd server ./etcd --name infra0 --data-dir infra0 --cert-file=/python-etcd3gw/localhost.crt --key-file=/python-etcd3gw/localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 # test cert connection endpoint curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health response {"health":"true"} modify test.py to your config setup for etcd #run test ./test.py response success! # code for test.py touch test.py chmod +rwx test.py gedit test.py #!/usr/bin/python3 from etcd3gw import Etcd3Client c = Etcd3Client(host="localhost", protocol="https", cert_key="localhost.key", cert_cert="localhost.crt", ca_cert="localhost.crt", timeout=10) c.put('test', 'success!') resp = c.get('test') print(b''.join(resp).decode()) ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Hello Dan, or anyone else affected, Accepted python-etcd3gw into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python- etcd3gw/0.2.1-3ubuntu1.20.04.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: python-etcd3gw (Ubuntu Focal) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-focal ** Changed in: python-etcd3gw (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
[sts-sponsors] The upload mentioned in comment #38 has been rejected as per my request. Re-uploaded in Focal and Bionic upload queues, including both (LP: #1820083) & (LP: #1900617) It is now waiting for the SRU verification team to approve the src package to start building and become available in the -proposed pockets for the testing/verification phase. Thanks for your contribution, Heather. - Eric & Dariusz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Ah I should have been more explict, my only question was around renaming of the github repo to opendev. Also, there is another LP that's supposed to go with this one: https://bugs.launchpad.net/ubuntu/focal/+source/python- etcd3gw/+bug/1900617 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
[sts-sponsors] Uploaded in Focal and Bionic upload queues. It is now waiting for the SRU verification team to approve the src package to start building and become available in the -proposed pockets for the testing/verification phase. Thanks for your contribution Heather. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
I see that dims is the maintainer[0], so the github repo should be fine and be considered as a trusted source. We can leave it as is. [0] - https://pypi.org/project/etcd3gw/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
I see that dims is the maintainer[0], so the github repo should be fine. We can leave it as is. [0] - https://pypi.org/project/etcd3gw/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Because: 1) We want to make sure we give credit to the author by making sure his/her name is readable. 2) The Bug-Ubuntu URL you originally added redirected to a 404 ERROR. 3) The dims' github repo last update was back in 2020, so it seems like a mirror or no-longer maintained source location. 4) The version was already picked for Eoan, in order to avoid conflict, I prefer not having 2 identical versions for more than 1 release (Even if Eoan is EOL). Hope it answers your questions. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
5) The patch rename is to continue the logic in the patch convention name already existing in the src code. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Revised focal patch addressing comments ** Patch added: "lp1820083-tls-params-focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536538/+files/lp1820083-tls-params-focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Revised bionic patch addressing comments the only change I didn't apply was changing the github to opendev source. Can I ask why we're making this change? Thanks ** Patch added: "lp1820083-tls-params-bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536537/+files/lp1820083-tls-params-bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
For the record this is the proposed unit test to be added. Since the pastebin is set to expire after one year. # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import os from socket import gethostname # from OpenSSL import crypto from etcd3gw.client import Etcd3Client from etcd3gw.tests import base def create_self_signed_cert(): # create a key pair pub_key = crypto.PKey() pub_key.generate_key(crypto.TYPE_RSA, 2048) # create a csr csr = crypto.X509Req() csr.get_subject().C = "US" csr.get_subject().ST = "Boston" csr.get_subject().L = "Boston" csr.get_subject().O = "Test Company Ltd" csr.get_subject().OU = "Test Company Ltd" csr.get_subject().CN = gethostname() csr.set_pubkey(pub_key) csr.sign(pub_key, "sha256") # create a self-signed cert cert = crypto.X509() cert.get_subject().C = "US" cert.get_subject().ST = "Boston" cert.get_subject().L = "Boston" cert.get_subject().O = "Test Company Ltd" cert.get_subject().OU = "Test Company Ltd" cert.get_subject().CN = gethostname() cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(pub_key) cert.sign(pub_key, "sha256") with open('cert.crt', 'w') as crt: if crt is not None: crt.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")) with open('test.key', 'w') as key: if key is not None: key.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pub_key).decode("utf-8")) with open('test.ca', 'w') as ca: if ca is not None: ca.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr).decode("utf-8")) crt.close() key.close() ca.close() class TestEtcd3Gateway(base.TestCase): def test_client_default(self): client = Etcd3Client() self.assertEqual("http://localhost:2379/v3alpha/lease/grant";, client.get_url("/lease/grant")) def test_client_ipv4(self): client = Etcd3Client(host="127.0.0.1") self.assertEqual("http://127.0.0.1:2379/v3alpha/lease/grant";, client.get_url("/lease/grant")) def test_client_ipv6(self): client = Etcd3Client(host="::1") self.assertEqual("http://[::1]:2379/v3alpha/lease/grant";, client.get_url("/lease/grant")) def test_client_tls(self): create_self_signed_cert() with open('cert.crt', 'r') as crt_file, \ open('test.key', 'r') as key_file, \ open('test.ca', 'r') as ca_file: client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert=ca_file, cert_key=key_file, cert_cert=crt_file, timeout=10) self.assertEqual(client.session.cert, (crt_file, key_file)) self.assertEqual(client.session.verify, ca_file) os.remove("cert.crt") os.remove("test.key") os.remove("test.ca") -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
[sts-sponsors] It is looking definitely better. Here's some nitpicking: # For both Focal and Bionic: - From: =?UTF-8?q?Tade=C3=A1=C5=A1=20Urs=C3=ADny?= + from: Tadeas Ursíny - Origin: upstream, https://github.com/dims/etcd3-gateway/commit/90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 + Origin: upstream, https://opendev.org/openstack/etcd3gw/commit/90b7a19 -Bug-Ubuntu: https://bugs.launchpad.net/+bug/1820083 + Bug-Ubuntu: https://bugs.launchpad.net/bugs/1820083 In order to follow the patch convention name already in place in the src package: # quilt rename -P lp1820083-Set-transport-options-on-requests-session.patch 0002-Set-transport-options-on-requests-session.patch (Don't forget to adjust d/changelog accordingly) # For Bionic is already used in Eoan: 0.2.1-1ubuntu1 Version https://launchpad.net/ubuntu/+source/python-etcd3gw/0.2.1-1ubuntu1 Please modify the version for not conflicting with another release having the same version already (even if EOL'd). 0.2.1-1ubuntu0.18.04.1 might be preferable here. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
pastebin of proposed code changes https://pastebin.canonical.com/p/45jWbygmSV/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
adds attachment patch file Set-transport-options-on-requests ** Patch added: "lp1820083-Set-transport-options-on-requests-session.patch" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536494/+files/lp1820083-Set-transport-options-on-requests-session.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
revised debdiff without added unit tests, bionic ** Patch removed: "lp1820083-tls-params-bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471977/+files/lp1820083-tls-params-bionic.debdiff ** Patch added: "lp1820083-tls-params.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536490/+files/lp1820083-tls-params.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Revised patch for tls-params removed added unit testing coverage for certs - focal ** Patch removed: "lp1820083-tls-params-focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471981/+files/lp1820083-tls-params-focal.debdiff ** Patch removed: "lp1820083-tls-params-groovy.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471978/+files/lp1820083-tls-params-groovy.debdiff ** Patch added: "lp1820083-tls-params-focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536483/+files/lp1820083-tls-params-focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Hi Eric, I had added a unit test for better code coverage and a requirement of another LP#1900617 whose unittests were failing, but that might not be needed now. I am still investigating this, Currently launchpad is down so I will be working on this tomorrow as well. Thanks, Heather Lemon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Hi Eric, I had added a unit test for better code coverage and a requirement of another LP#1900617 whose unittests were failing, but that might not be needed now. I am still investigating this, Currently launchpad is down so I will be working on this tomorrow as well. Thanks, Heather Lemon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
[sts-sponsor] The debdiff add a new build-depends for python-openssl[0]. It seems like you made a patch of yours[1] (UBUNTU SAUCE ?? I can't find in the upstream project[2]) since your patch requires crypto in OpenSSL module[3]. Could you elaborate and provide rationale for this patch ? And why this is needed here ? Ideally, I would prefer not having build-depends in stable release. - Eric [0] "+ python3-openssl," [1] From 4db59e0620c3696ad654145e33a0ea5e6529b817 Mon Sep 17 00:00:00 2001 From: Heather Lemon Date: Thu, 25 Feb 2021 16:50:40 -0700 Subject: create new unit test for https etcd server [2] https://opendev.org/openstack/etcd3gw/commit/4db59e0620c3696ad654145e33a0ea5e6529b817 [3] - ++from OpenSSL import crypto ** Changed in: python-etcd3gw (Ubuntu Groovy) Assignee: Heather Lemon (hypothetical-lemon) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
[sts-sponsor] The debdiff add a new build-depends for 'python-openssl' It seems like you made a patch of yours[0] that I can't find in the upstream project[1], since you patch requires crypto in OpenSSL module. Could you elaborate and provide rationale for this patc ? and why this is needed here ? Ideally, I would prefer not having build-depends in stable release. - Eric [0] From 4db59e0620c3696ad654145e33a0ea5e6529b817 Mon Sep 17 00:00:00 2001 From: Heather Lemon Date: Thu, 25 Feb 2021 16:50:40 -0700 Subject: create new unit test for https etcd server [1] https://opendev.org/openstack/etcd3gw/commit/4db59e0620c3696ad654145e33a0ea5e6529b817 [2] - ++from OpenSSL import crypto -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Tags removed: sts-sponser ** Tags added: sts-sponsor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
The Groovy Gorilla has reached end of life, so this bug will not be fixed for that release ** Changed in: python-etcd3gw (Ubuntu Groovy) Status: In Progress => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package. [Test Plan] - # Create self signed certs + # Create self signed certs, using the default for all prompts - openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr - *make sure the key has an empty password + $ openssl req -addext "subjectAltName = DNS:localhost" -x509 -keyout + localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt - #download binaries & launch etcd locally with TLS enabled + # install 'etcd' package, stop the default server, and spin up ectd + server - wget https://github.com/etcd- - io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz + $ sudo apt install etcd + $ sudo systemctl stop etcd - tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz + $ etcd --name test --data-dir test --cert-file=localhost.crt --key- + file=localhost.key --advertise-client-urls=https://localhost:2379 + --listen-client-urls=https://localhost:2379 - cd etcd-v3.3.14-linux-amd64/ - sudo cp etcd etcdctl /usr/bin/ + # run test script - # spin up ectd server - etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 - *note I named my directory infra0 + $ cat test.py + #!/usr/bin/python3 - #test connection with health endpoint: + from etcd3gw import Etcd3Client - curl --cacert localhost.crt --key localhost.key --cert localhost.crt - https://127.0.0.1:2379/health + c = Etcd3Client(host="localhost", protocol="https", cert_key="localhost.key", cert_cert="localhost.crt", ca_cert="localhost.crt", timeout=10) + c.put('test', 'success!') + resp = c.get('test') + print(b''.join(resp).decode()) - #if successful, the etcd server is configured with https - {"health": "true"} - - Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py - to add this unit test. - - def test_client_tls(self): - client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", - cert_key="/root/etcdserver.key", - cert_cert="/root/etcdserver.crt", - timeout=10) - client.create("foo", value="bar") - client.put("foo", "bar") - resp = client.get("foo") - print(resp) - - # Run the newly added unit test - - python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls - - We get an error in both the unit test and an error from the etcd server unit test error we are looking for: - # error in etcd - OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") - - error in unit test - - python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls - - E - == - ERROR: test_client_tls (test_client.TestEtcd3Gateway) - test_client.TestEtcd3Gateway.test_client_tls - -- - testtools.testresult.real._StringException: Traceback (most recent call last): - File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen - chunked=chunked) - File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request - self._validate_conn(conn) - File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn - conn.connect() - File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect - ssl_context=context) - File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket - return context.wrap_socket(sock, server_hostname=server_hostname) - File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket - _context=self, _session=session) - File "/usr/lib/python3.6/ssl.py", line 817, in __init__ - self.do_handshake() - File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake - self._sslobj.do_handshake() - File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake - self._sslobj.do_handshake() - ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) - - During handling of the above exception, another exception occurred: - - Traceback (most recent call last): - File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send - timeout=timeout - File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen - _stacktrace=sys.exc_info()[2]) - File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment - raise MaxRetryError(_pool, url, error or ResponseError(
[Bug 1820083] Re: TLS params not set for session
** Tags added: sts-sponser -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py to add this unit test. def test_client_tls(self): client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", cert_key="/root/etcdserver.key", cert_cert="/root/etcdserver.crt", timeout=10) client.create("foo", value="bar") - client.put("foo") + client.put("foo", "bar") resp = client.get("foo") print(resp) # Run the newly added unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: # error in etcd OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") error in unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls E == ERROR: test_client_tls (test_client.TestEtcd3Gateway) test_client.TestEtcd3Gateway.test_client_tls -- testtools.testresult.real._StringException: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen chunked=chunked) File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request self._validate_conn(conn) File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn conn.connect() File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect ssl_context=context) File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket return context.wrap_socket(sock, server_hostname=server_hostname) File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket _context=self, _session=session) File "/usr/lib/python3.6/ssl.py", line 817, in __init__ self.do_handshake() File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake self._sslobj.do_handshake() File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send timeout=timeout File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen _stacktrace=sys.exc_info()[2]) File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment raise MaxRetryError(_pool, url, error or ResponseError(cause)) urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),)) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post resp = self.session.post(*args, **kwargs) File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post return self.request('POST', url, data=data, json=json, **kwargs) File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python3/dis
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py def test_client_tls(self): - client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/home/heather/etcdserver.crt", - cert_key="/home/heather/etcdserver.key", - cert_cert="/home/heather/etcdserver.crt", + client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", + cert_key="/root/etcdserver.key", + cert_cert="/root/etcdserver.crt", timeout=10) client.create("foo", value="bar") client.put("foo") resp = client.get("foo") print(resp) # Run the newly added unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: # error in etcd OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") error in unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls E == ERROR: test_client_tls (test_client.TestEtcd3Gateway) test_client.TestEtcd3Gateway.test_client_tls -- testtools.testresult.real._StringException: Traceback (most recent call last): - File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen - chunked=chunked) - File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request - self._validate_conn(conn) - File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn - conn.connect() - File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect - ssl_context=context) - File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket - return context.wrap_socket(sock, server_hostname=server_hostname) - File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket - _context=self, _session=session) - File "/usr/lib/python3.6/ssl.py", line 817, in __init__ - self.do_handshake() - File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake - self._sslobj.do_handshake() - File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake - self._sslobj.do_handshake() + File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen + chunked=chunked) + File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request + self._validate_conn(conn) + File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn + conn.connect() + File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect + ssl_context=context) + File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket + return context.wrap_socket(sock, server_hostname=server_hostname) + File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket + _context=self, _session=session) + File "/usr/lib/python3.6/ssl.py", line 817, in __init__ + self.do_handshake() + File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake + self._sslobj.do_handshake() + File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake + self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) During handling of the above exception, another exception occurred: Traceback (most recent call last): - File "/usr/
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py def test_client_tls(self): - client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/home/heather/etcdserver.crt", - cert_key="/home/heather/etcdserver.key", - cert_cert="/home/heather/etcdserver.crt", - timeout=10) - client.create("foo", value="bar") - client.put("foo") - resp = client.get("foo") - print(resp) + client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/home/heather/etcdserver.crt", + cert_key="/home/heather/etcdserver.key", + cert_cert="/home/heather/etcdserver.crt", + timeout=10) + client.create("foo", value="bar") + client.put("foo") + resp = client.get("foo") + print(resp) # Run the newly added unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls - We get an error in both the unit test and an error from the etcd server - unit test error we are looking for: + We get an error in both the unit test and an error from the etcd server unit test error we are looking for: + # error in etcd + OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") - OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', - 'certificate verify failed')] related etcd error: I | embed: rejected - connection from "127.0.0.1:44244" (error "remote error: tls: bad - certificate", ServerName "") + error in unit test - If you are testing with the added unit test, then make sure there is no - etcd server running already. + python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls + + E + == + ERROR: test_client_tls (test_client.TestEtcd3Gateway) + test_client.TestEtcd3Gateway.test_client_tls + -- + testtools.testresult.real._StringException: Traceback (most recent call last): + File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen + chunked=chunked) + File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request + self._validate_conn(conn) + File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn + conn.connect() + File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect + ssl_context=context) + File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket + return context.wrap_socket(sock, server_hostname=server_hostname) + File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket + _context=self, _session=session) + File "/usr/lib/python3.6/ssl.py", line 817, in __init__ + self.do_handshake() + File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake + self._sslobj.do_handshake() + File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake + self._sslobj.do_handshake() + ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) + + During handling of the above exception, another exception occurred: + + Traceback (most recent call last): + File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send + timeout=timeout + File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen + _stacktrace=sys.exc_info()[2]) + File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment + raise MaxRetryError(_pool, url, error or ResponseError(cause)) + urllib3.exceptions.MaxRetryE
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py def test_client_tls(self): - client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", cert_key="/root/etcdserver.key", - cert_cert="/root/etcdserver.crt", timeout=10) - client.create("foo", value="bar") - client.get("foo") + client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/home/heather/etcdserver.crt", + cert_key="/home/heather/etcdserver.key", + cert_cert="/home/heather/etcdserver.crt", + timeout=10) + client.create("foo", value="bar") + client.put("foo") + resp = client.get("foo") + print(resp) # Run the newly added unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") If you are testing with the added unit test, then make sure there is no etcd server running already. Unit test console output: - python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls - /home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.) - warnings.warn( - 127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 - + root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls + /usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) + SubjectAltNameWarning + [b'bar'] + /usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed + return self._get_test_method()() . -- - Ran 1 test in 0.107s + Ran 1 test in 0.048s OK - - - The unit test I've made is an echo of the test_client.py code we've just updated. - # + The unit test I've made is an echo of the test_client.py code we've just + updated. + + # Testing out the new unit test from the source code changes. - I have added a new unit test that tests the setting of TLS params. - You can run the unit test with: + I have added a new unit test that tests the setting of TLS params. + You can run the unit test with: python3 -m unittest again make sure there's no etcd server already running. - [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. -- You received this bug notification
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package. [Test Plan] - There are two test workflows to follow. - - testing the patch with self signed certs and etcd server running locally - - running newly created unit tests for TLS params - - # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} - View test changes inside of ~/python- - etcd3gw-0.2.1/etcd3gw/tests/test_client.py + Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py - Run the newly added unit test, or run the whole test suite with: - python3 unittest + def test_client_tls(self): + client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", cert_key="/root/etcdserver.key", + cert_cert="/root/etcdserver.crt", timeout=10) + client.create("foo", value="bar") + client.get("foo") + + # Run the newly added unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") If you are testing with the added unit test, then make sure there is no etcd server running already. Unit test console output: python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls /home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.) warnings.warn( 127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 - . -- Ran 1 test in 0.107s OK + - + The unit test I've made is an echo of the test_client.py code we've just updated. + + # + Testing out the new unit test from the source code changes. + + I have added a new unit test that tests the setting of TLS params. + You can run the unit test with: + + python3 -m unittest + + again make sure there's no etcd server already running. + [Where Problems Could Occur] - - -failed tls connections - -failed unit tests This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. - - Unit test failures. Created a new unit test for testing the TLS session - parameters. This also creates a mock etcd server to connect and test - certification information of self signed certs. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package. [Test Plan] + There are two test workflows to follow. + - testing the patch with self signed certs and etcd server running locally + - running newly created unit tests for TLS params + - # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} - Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py + View test changes inside of ~/python- + etcd3gw-0.2.1/etcd3gw/tests/test_client.py - Run the newly added unit test + Run the newly added unit test, or run the whole test suite with: + python3 unittest python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") If you are testing with the added unit test, then make sure there is no etcd server running already. Unit test console output: python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls /home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.) warnings.warn( 127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 - . -- Ran 1 test in 0.107s OK [Where Problems Could Occur] + -failed tls connections + -failed unit tests + This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. + + Unit test failures. Created a new unit test for testing the TLS session + parameters. This also creates a mock etcd server to connect and test + certification information of self signed certs. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
redo focal debdiff alphabetized control file ** Patch added: "lp1820083-tls-params-focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471981/+files/lp1820083-tls-params-focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
redo groovy control file is alphabetized (03-02-2021) ** Patch removed: "lp1820083-tls-params-groovy.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471966/+files/lp1820083-tls-params-groovy.debdiff ** Patch added: "lp1820083-tls-params-groovy.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471978/+files/lp1820083-tls-params-groovy.debdiff ** Patch removed: "lp1820083-tls-params-focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471964/+files/lp1820083-tls-params-focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
debdiff bionic (03-02-2021) ** Patch added: "lp1820083-tls-params-bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471977/+files/lp1820083-tls-params-bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
debdiff for groovy (03-03-2021) ** Patch added: "lp1820083-tls-params-groovy.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471966/+files/lp1820083-tls-params-groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
updated focal debdiff patch (03-02-2021) ** Patch added: "lp1820083-tls-params-focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471964/+files/lp1820083-tls-params-focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
deleted all previous attachements ** Patch removed: "lp1820083-set-tls-groovy.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5464270/+files/lp1820083-set-tls-groovy.debdiff ** Patch removed: "lp1820083-Set-transport-options-bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5464369/+files/lp1820083-Set-transport-options-bionic.debdiff ** Patch removed: "lp1820083-Set-transport-options-focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5464370/+files/lp1820083-Set-transport-options-focal.debdiff ** Attachment removed: "test_client.py" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5467262/+files/test_client.py ** Attachment removed: "0001-create-new-unit-test-for-https-etcd-server.patch" https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5467263/+files/0001-create-new-unit-test-for-https-etcd-server.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
attached format-patch unit test changes ** Patch added: "0001-create-new-unit-test-for-https-etcd-server.patch" https://bugs.launchpad.net/ubuntu/focal/+source/python-etcd3gw/+bug/1820083/+attachment/5467263/+files/0001-create-new-unit-test-for-https-etcd-server.patch ** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py Run the newly added unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") + If you are testing with the added unit test, then make sure there is no + etcd server running already. + + Unit test console output: + + python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls + /home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.) + warnings.warn( + 127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 - + . + -- + Ran 1 test in 0.107s + + OK + + [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. ** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use - of TLS. + of TLS for the etcd3gw package. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py Run the newly added unit test python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connecti
[Bug 1820083] Re: TLS params not set for session
# Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. import os import ssl import socket import threading from OpenSSL import crypto from etcd3gw.client import Etcd3Client from etcd3gw.tests import base from future.backports.http.server import (HTTPServer as _HTTPServer, SimpleHTTPRequestHandler, BaseHTTPRequestHandler) class ETCDMock(_HTTPServer): def __init__(self, server_address, handler_class, context): _HTTPServer.__init__(self, server_address, handler_class) self.context = context def __str__(self): return ('<%s %s:%s>' % (self.__class__.__name__, self.server_name, self.server_port)) def get_request(self): try: sock, addr = self.socket.accept() sslconn = self.context.wrap_socket(sock, server_side=True) self.sock = sock except socket.error as e: print("failure in etcdservermock: %s" % e) exit(1) return sslconn, addr class ETCDMockRequestHandler(SimpleHTTPRequestHandler): protocol_version = "HTTP/1.0" def do_GET(self): if self.path == "/health": example_response = b"{health:true}" self.send_response(200) self.send_header("Content-Type", "application/json") self.send_header("Content-Length", len(example_response)) self.end_headers() self.wfile.write(example_response) else: super().do_GET() def do_POST(self): if self.path == "/maintenance/status": example_response = b"{health:true}" self.send_response(200) self.send_header("Content-Type", "application/json") self.send_header("Content-Length", len(example_response)) self.end_headers() self.wfile.write(example_response) else: super().do_POST() class ETCDServerThread(threading.Thread): def __init__(self, context): self.flag = None self.server = ETCDMock(('127.0.0.1', 2379), ETCDMockRequestHandler, context) self.port = self.server.server_port threading.Thread.__init__(self) self.daemon = True def __str__(self): return "<%s %s>" % (self.__class__.__name__, self.server) def start(self, flag=None): self.flag = flag threading.Thread.start(self) def run(self): if self.flag: self.flag.set() try: self.server.serve_forever(0.05) finally: self.server.server_close() def stop(self): self.server.shutdown() def create_self_signed_cert(): # create a key pair pub_key = crypto.PKey() pub_key.generate_key(crypto.TYPE_RSA, 2048) # create a csr csr = crypto.X509Req() csr.get_subject().C = "US" csr.get_subject().ST = "Boston" csr.get_subject().L = "Boston" csr.get_subject().O = "Test Company Ltd" csr.get_subject().OU = "Test Company Ltd" csr.get_subject().CN = "127.0.0.1" csr.set_pubkey(pub_key) csr.sign(pub_key, "sha256") # create a self-signed cert cert = crypto.X509() cert.get_subject().C = "US" cert.get_subject().ST = "Boston" cert.get_subject().L = "Boston" cert.get_subject().O = "Test Company Ltd" cert.get_subject().OU = "Test Company Ltd" cert.get_subject().CN = "127.0.0.1" cert.set_serial_number(1000) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) cert.set_issuer(cert.get_subject()) cert.set_pubkey(pub_key) cert.sign(pub_key, "sha256") cert_file = 'test.crt' key_file = 'test.key' ca_file = 'test.ca' with open(cert_file, 'w') as crt: if crt is not None: crt.write(crypto.dump_certificate(crypto.FILETYPE_PEM, cert).decode("utf-8")) with open(key_file, 'w') as key: if key is not None: key.write(crypto.dump_privatekey(crypto.FILETYPE_PEM, pub_key).decode("utf-8")) with open(ca_file, 'w') as ca: if ca is not None: ca.write(crypto.dump_certificate_request(crypto.FILETYPE_PEM, csr).decode("utf-8")) return cert_file, key_file, cert_file class TestEtcd3Gateway(base.TestCase): def test_client_default(self): client = Etcd3Client() self.assertEqual("http://localhost:2379/v3alpha/lease/grant";,
[Bug 1820083] Re: TLS params not set for session
updated unit test code ** Attachment added: "test_client.py" https://bugs.launchpad.net/ubuntu/focal/+source/python-etcd3gw/+bug/1820083/+attachment/5467262/+files/test_client.py -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 # spin up etcd server etcd & test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health if successful, {"health": "true"} Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py Add a new unit test ``` def test_client_tls(self): client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) - response = client.get("/health") + response = client.get("/health") print(response) ``` Run the newly added unit test - python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls + python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 # spin up etcd server etcd & test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health if successful, {"health": "true"} - Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py - Add a new unit test + Add a new unit test ``` def test_client_tls(self): client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) - response = client.get("/health") print(response) + response = client.get("/health") + print(response) ``` Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 + # spin up etcd server + etcd & + test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt - https://localhost:2379/health + https://127.0.0.1:2379/health if successful, {"health": "true"} - touch test_client.py + Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py + Add a new unit test ``` def test_client_tls(self): client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) response = client.get("/health") print(response) ``` Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled - cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ - sudo mv etcd etcdctl /usr/bin/ - cd ~ rm -rf etcd-v3.3.14-linux-amd64* + + wget https://github.com/etcd- + io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz + + tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz + + cd etcd-v3.3.14-linux-amd64/ + sudo cp etcd etcdctl /usr/bin/ + + etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 - etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key- - file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 - --listen-client-urls=https://127.0.0.1:2379 + test connection with health endpoint: curl --cacert localhost.crt --key + localhost.key --cert localhost.crt https://localhost:2379/health - test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"} + if successful, {"health": "true"} + + touch test_client.py Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py + ``` def test_client_tls(self): client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) response = client.get("/health") print(response) ``` - Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") + + Run the newly added unit test + + python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls + + We get an error in both the unit test and an error from the etcd server + unit test error we are looking for: + + OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', + 'certificate verify failed')] related etcd error: I | embed: rejected + connection from "127.0.0.1:44244" (error "remote error: tls: bad + certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. ** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 - test connection with health endpoint: curl --cacert localhost.crt --key - localhost.key --cert localhost.crt https://localhost:2379/health + test connection with health endpoint: + + curl --cacert localhost.crt --key localhost.key --cert localhost.crt + https://localhost:2379/health if successful, {"health": "true"} touch test_client.py Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py ``` def test_client_tls(self): client = Etcd3Client(host="localhost", protoco
[Bug 1820083] Re: TLS params not set for session
** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. - [Test Case] + [Test Plan] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo mv etcd etcdctl /usr/bin/ cd ~ rm -rf etcd-v3.3.14-linux-amd64* *note I named my directory infra0 etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key- file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"} Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py ``` def test_client_tls(self): client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) response = client.get("/health") print(response) ``` Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
revert test case description ** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Case] - We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1 - Running the additional unit tests provided for this would be enough to trigger the raised exception. + [Test Case] + + # Create self signed certs + + openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr + *make sure the key has an empty password + #download binaries & launch etcd locally with TLS enabled + cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ + sudo mv etcd etcdctl /usr/bin/ + cd ~ rm -rf etcd-v3.3.14-linux-amd64* + *note I named my directory infra0 + etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 + + test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"} + Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py + ``` + def test_client_tls(self): + + client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) + response = client.get("/health") print(response) + ``` + Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other Info] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. ** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Case] - [Test Case] - # Create self signed certs - openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr - *make sure the key has an empty password - #download binaries & launch etcd locally with TLS enabled - cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ - sudo mv etcd etcdctl /usr/bin/ - cd ~ rm -rf etcd-v3.3.14-linux-amd64* - *note I named my directory infra0 - etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 + openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr + *make sure the key has an empty password - test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"} - Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py - ``` - def test_client_tls(self): + #download binaries & launch etcd locally with TLS enabled + cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ + sudo mv etcd etcdctl /usr/bin/ + cd ~ rm -rf etcd-v3.3.14-linux-amd64* + *note I named my directory infra0 - client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) - response = client.get("/health") print(response) - ``` - Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL
[Bug 1820083] Re: TLS params not set for session
** Tags removed: sts-sponsor-ddstreet ** Tags added: sts-sponsor-slashd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Tags removed: sts-sponsor-volunteer ** Tags added: sts-sponsor-ddstreet -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
bionic debdiff ** Patch removed: "lp1820083-tlsparams-bionic.debdiff" https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5449229/+files/lp1820083-tlsparams-bionic.debdiff ** Patch added: "lp1820083-Set-transport-options-bionic.debdiff" https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464369/+files/lp1820083-Set-transport-options-bionic.debdiff ** Patch removed: "lp1820083-focal-tlsparams.debdiff" https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5449249/+files/lp1820083-focal-tlsparams.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
Resubmitted patches for verification -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
focal debdiff ** Patch added: "lp1820083-Set-transport-options-focal.debdiff" https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464370/+files/lp1820083-Set-transport-options-focal.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
groovy debdiff ** Patch removed: "lp1820083-set-tls-groovy.debdiff" https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464269/+files/lp1820083-set-tls-groovy.debdiff ** Patch added: "lp1820083-set-tls-groovy.debdiff" https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464270/+files/lp1820083-set-tls-groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
debdiff for groovy ** Patch added: "lp1820083-set-tls-groovy.debdiff" https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464269/+files/lp1820083-set-tls-groovy.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Changed in: python-etcd3gw (Ubuntu Groovy) Status: New => Triaged ** Changed in: python-etcd3gw (Ubuntu Groovy) Status: Triaged => In Progress ** Changed in: python-etcd3gw (Ubuntu Groovy) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [impact] a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [test case] - I am currently updating the unit test to include testing of TLS params + We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1 + Running the additional unit tests provided for this would be enough to trigger the raised exception. [regression potential] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [scope] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. ** Description changed: [impact] a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. - [test case] + [Test Case] We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1 Running the additional unit tests provided for this would be enough to trigger the raised exception. - [regression potential] + [Regression Potential] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. - [scope] + [Scope] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into - Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and - Focal. This package was not included in Xenial. + Debian, so this patch is needed in Debian, as well as Bionicand Focal. + This package was not included in Xenial. ** Description changed: - [impact] + [Impact] a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Case] We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1 Running the additional unit tests provided for this would be enough to trigger the raised exception. [Regression Potential] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Scope] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. ** Description changed: [Impact] a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Case] We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1 Running the additional unit tests provided for this would be enough to trigger the raised exception. - [Regression Potential] + [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. - [Scope] + [Other Info] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. ** Description changed: [Impact] - a connection session is opened, but the TLS parameters (timeout, ca, + A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Case] We will be backporting this as part of t
[Bug 1820083] Re: TLS params not set for session
Fixed in Ubuntu Hirsute. --- python-etcd3gw (0.2.5-1) unstable; urgency=medium [ Ondřej Nový ] * Run wrap-and-sort -bastk. [ Thomas Goirand ] * Switch to new repo URL. * New upstream release (Closes: #980004). * Removed 0001_reproducible-build.patch applied upstream. * Add python3-mock as build-depends. -- Thomas Goirand Wed, 13 Jan 2021 09:49:04 +0100 ** Changed in: python-etcd3gw (Ubuntu Hirsute) Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Changed in: python-etcd3gw (Ubuntu Groovy) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [impact] a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [test case] - create self signed certs - - - openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr - *make sure the key has an empty password - - - download binaries & launch etcd locally with TLS enabled - - cd ~ - wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz - tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz - cd etcd-v3.3.14-linux-amd64/ - sudo mv etcd etcdctl /usr/bin/ - cd ~ - rm -rf etcd-v3.3.14-linux-amd64* - *note I named my directory infra0 - etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 - - test connection with health endpoint: - curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health - - if successful, - {"health": "true"} - - Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py - ``` - def test_client_tls(self): - client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) - response = client.get("/health") - print(response) - ``` - Run the newly added unit test - - python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls - - We get an error in both the unit test and an error from the etcd server - unit test error we are looking for: - OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] - - related etcd error: - I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") - + I am currently updating the unit test to include testing of TLS params [regression potential] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [scope] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [impact] a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [test case] - TBD + create self signed certs + - + openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr + *make sure the key has an empty password + + + download binaries & launch etcd locally with TLS enabled + + cd ~ + wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz + tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz + cd etcd-v3.3.14-linux-amd64/ + sudo mv etcd etcdctl /usr/bin/ + cd ~ + rm -rf etcd-v3.3.14-linux-amd64* + *note I named my directory infra0 + etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 + + test connection with health endpoint: + curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health + + if successful, + {"health": "true"} + + Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py + ``` + def test_client_tls(self): + client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) + response = client.get("/health") + print(response) + ``` + Run the newly added unit test + + python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls + + We get an error in both the unit test and an error from the etcd server + unit test error we are looking for: + OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] + + related etcd error: + I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") + [regression potential] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [scope] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
The attachment "lp1820083-tlsparams-bionic.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Patch added: "lp1820083-focal-tlsparams.debdiff" https://bugs.launchpad.net/ubuntu/bionic/+source/python-etcd3gw/+bug/1820083/+attachment/5449249/+files/lp1820083-focal-tlsparams.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Patch added: "lp1820083-tlsparams-bionic.debdiff" https://bugs.launchpad.net/ubuntu/bionic/+source/python-etcd3gw/+bug/1820083/+attachment/5449229/+files/lp1820083-tlsparams-bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Also affects: python-etcd3gw (Ubuntu Hirsute) Importance: Medium Status: New ** Also affects: python-etcd3gw (Ubuntu Groovy) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Changed in: python-etcd3gw (Ubuntu Bionic) Status: New => In Progress ** Changed in: python-etcd3gw (Ubuntu Focal) Status: New => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Changed in: python-etcd3gw (Ubuntu Bionic) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) ** Changed in: python-etcd3gw (Ubuntu Focal) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
The Eoan Ermine has reached end of life, so this bug will not be fixed for that release ** Changed in: python-etcd3gw (Ubuntu Eoan) Status: New => Won't Fix -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Tags added: sts-sponsor-volunteer -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1820083] Re: TLS params not set for session
** Description changed: [impact] a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [test case] TBD [regression potential] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. + [scope] + the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 + + that commit is contained in version 0.2.2, which is not yet pulled into + Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and + Focal. This package was not included in Xenial. ** Changed in: python-etcd3gw (Ubuntu Cosmic) Status: In Progress => Won't Fix ** Changed in: python-etcd3gw (Ubuntu Disco) Status: In Progress => Won't Fix ** Also affects: python-etcd3gw (Ubuntu Focal) Importance: Medium Assignee: Dan Streetman (ddstreet) Status: In Progress ** Also affects: python-etcd3gw (Ubuntu Eoan) Importance: Undecided Status: New ** Changed in: python-etcd3gw (Ubuntu Focal) Status: In Progress => New ** Changed in: python-etcd3gw (Ubuntu Bionic) Status: In Progress => New ** Changed in: python-etcd3gw (Ubuntu Bionic) Assignee: Dan Streetman (ddstreet) => (unassigned) ** Changed in: python-etcd3gw (Ubuntu Cosmic) Assignee: Dan Streetman (ddstreet) => (unassigned) ** Changed in: python-etcd3gw (Ubuntu Disco) Assignee: Dan Streetman (ddstreet) => (unassigned) ** Changed in: python-etcd3gw (Ubuntu Focal) Assignee: Dan Streetman (ddstreet) => (unassigned) ** Changed in: python-etcd3gw (Ubuntu Eoan) Importance: Undecided => Medium ** Tags added: sts -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs