[Bug 1805807] Re: python-httplib2 is not compatible with TLS 1.3 based python/ssl

[Dimitri John Ledkov]

** Description changed:

  [Impact]
  
-  * If and when openssl and python are upgraded with TLS 1.3 support,
+  * If and when openssl and python are upgraded with TLS 1.3 support,
  httplib2 as shipped in bionic will fail to establish TLS connections,
  due to failure to send hostname for SNI verification.
  
  [Test Case]
  
-  * Sample script that currently passes in bionic, but fails if one force
+  * Sample script that currently passes in bionic, but fails if one force
  upgrades to a newer python2.7 built with openssl 1.1.1
  
-  * Install the new openssl & python on bionic with:
+  * Install the new openssl & python on bionic with:
  
  echo 'deb [trusted=yes] 
http://ppa.launchpad.net/ci-train-ppa-service/3540/ubuntu bionic main ' > 
/etc/apt/sources.list.d/xnox.list
  apt update
  apt install -y python2.7
  apt download python-httplib2
- dpkg-deb -x ./python-httplib2_0.9.2+dfsg-1_all.deb /
- 
- 
-  * Launch python interpreter and try to open a https url
-   $ python
+ dpkg --force-breaks --install ./python-httplib2_0.9.2+dfsg-1ubuntu0.1_all.deb
+  * Launch python interpreter and try to open a https url
+   $ python
  import httplib2
  h = httplib2.Http(ca_certs='/etc/ssl/certs/ca-certificates.crt')
  h.request("https://www.google.com";)
  Traceback (most recent call last):
-   File "<stdin>", line 1, in <module>
-   File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1608, in 
request
-     (response, content) = self._request(conn, authority, uri, request_uri, 
method, body, headers, redirections, cachekey)
-   File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1350, in 
_request
-     (response, content) = self._conn_request(conn, request_uri, method, body, 
headers)
-   File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in 
_conn_request
-     conn.connect()
-   File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1058, in 
connect
-     raise SSLHandshakeError(e)
+   File "<stdin>", line 1, in <module>
+   File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1608, in 
request
+     (response, content) = self._request(conn, authority, uri, request_uri, 
method, body, headers, redirections, cachekey)
+   File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1350, in 
_request
+     (response, content) = self._conn_request(conn, request_uri, method, body, 
headers)
+   File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1271, in 
_conn_request
+     conn.connect()
+   File "/usr/lib/python2.7/dist-packages/httplib2/__init__.py", line 1058, in 
connect
+     raise SSLHandshakeError(e)
  httplib2.SSLHandshakeError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed (_ssl.c:727)
  
- 
-  * Instead of assertion being raised, the url should be retrieved 
successfully with page contents returned.
+  * Instead of assertion being raised, the url should be retrieved
+ successfully with page contents returned.
  
  [Regression Potential]
  
-  * Upstream patch is used, which is well-tested and used in cosmic/disco
+  * Upstream patch is used, which is well-tested and used in cosmic/disco
  and uses python standard library ssl facilities which have been provided
  since 2.7.9 (xenial+). In terms of connectivity correct SNI usage will
  not result in connectivity failures.
  
  [Other Info]
-  
-  * Upstream fix https://github.com/httplib2/httplib2/pull/13/files
+ 
+  * Upstream fix https://github.com/httplib2/httplib2/pull/13/files

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1805807

Title:
  python-httplib2 is not compatible with TLS 1.3 based python/ssl

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1805807/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs