[Bug 1879310] [NEW] python package does not depend on ca-certificates

Christian Heimes Mon, 18 May 2020 04:26:14 -0700

Public bug reported:

(Affects all Python versions)


Python has no dependency on ca-certificates. Installing Python on a
minimal Debian or Ubuntu container image does not pull in ca-
certificates. This results in certificate validation issues as no trust
anchors are available. Python's ssl module and
ssl.create_default_context() depend on default root CA packages being
available.

Since Python 2.7.9 and 3.4.0 the ssl module encourages developers to use
ssl.create_default_context() to create a working and securely configured
SSL context object. The implementation assumes that the platform has a
correctly configured OpenSSL libssl that can load the default trust
anchors (root CA certificates) with SSL_CTX_set_default_verify_paths().

Reproducer:

# docker run -ti ubuntu:bionic /bin/bash
# apt-get update
# apt-get install -y python3

# ls -la /etc/ssl/certs/ca-certificates.crt
ls: cannot access '/etc/ssl/certs/ca-certificates.crt': No such file or 
directory
# dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name            Version      Architecture Description
+++-===============-============-============-=================================
un  ca-certificates <none>       <none>       (no description available)

# python3 -c 'from urllib.request import urlopen; 
urlopen("https://www.python.org";)'
Traceback (most recent call last):
...
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] 
certificate verify failed (_ssl.c:852)>
# echo $?
1

# apt-get install -y ca-certificates
# python3 -c 'from urllib.request import urlopen; 
urlopen("https://www.python.org";)'
root@seneca:/# echo $?
0


Proposed solution:
Either all Python interpreter packages or libssl should pull in ca-certificates.

I have reported the bug on Debian's bug tracker as well,
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960869

** Affects: python3.6 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1879310

Title:
  python package does not depend on ca-certificates

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python3.6/+bug/1879310/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1879310] [NEW] python package does not depend on ca-certificates

Reply via email to