revert test case description ** Description changed:
[Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Case] - We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1 - Running the additional unit tests provided for this would be enough to trigger the raised exception. + [Test Case] + + # Create self signed certs + + openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr + *make sure the key has an empty password + #download binaries & launch etcd locally with TLS enabled + cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ + sudo mv etcd etcdctl /usr/bin/ + cd ~ rm -rf etcd-v3.3.14-linux-amd64* + *note I named my directory infra0 + etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 + + test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"} + Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py + ``` + def test_client_tls(self): + + client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) + response = client.get("/health") print(response) + ``` + Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other Info] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. ** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Case] - [Test Case] - # Create self signed certs - openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr - *make sure the key has an empty password - #download binaries & launch etcd locally with TLS enabled - cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ - sudo mv etcd etcdctl /usr/bin/ - cd ~ rm -rf etcd-v3.3.14-linux-amd64* - *note I named my directory infra0 - etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 + openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr + *make sure the key has an empty password - test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"} - Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py - ``` - def test_client_tls(self): + #download binaries & launch etcd locally with TLS enabled + cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ + sudo mv etcd etcdctl /usr/bin/ + cd ~ rm -rf etcd-v3.3.14-linux-amd64* + *note I named my directory infra0 - client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) - response = client.get("/health") print(response) - ``` - Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") + etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key- + file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 + --listen-client-urls=https://127.0.0.1:2379 + + test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"} + Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py + ``` + def test_client_tls(self): + + client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) + response = client.get("/health") print(response) + ``` + Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. [Other Info] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. ** Description changed: [Impact] A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS. [Test Case] # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo mv etcd etcdctl /usr/bin/ cd ~ rm -rf etcd-v3.3.14-linux-amd64* *note I named my directory infra0 etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key- file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"} Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py ``` def test_client_tls(self): client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) response = client.get("/health") print(response) ``` Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") [Where Problems Could Occur] This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before. - [Other Info] + [Other] the upstream bug is https://github.com/dims/etcd3-gateway/issues/20 fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21 via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
