Page MenuHomePhabricator
Create Task
Maniphest T126714

Python2 on trusty exec nodes does not support SNI
Closed, ResolvedPublic
Actions

Description

Found while testing T108720: pick up ticket mentions from !log lines with stashbot:

/data/project/stashbot/virtenv/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.

tools-bastion-01 (and I'm assuming the other trusty SGE exec nodes) has Python 2.7.6 installed. Before trying the workaround of using PyOpenSSL in my virtualenv I thought it would be worth discussing either installing PyOpenSSL globally or upgrading to a newer Python2 distribution.

Related Objects

Event Timeline

bd808 created this task.Feb 12 2016, 5:07 AM
bd808 raised the priority of this task from to Needs Triage.
bd808 updated the task description. (Show Details)
bd808 added a project: Toolforge.
bd808 subscribed.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptFeb 12 2016, 5:07 AM
Restricted Application added subscribers: StudiesWorld, Aklapper. · View Herald Transcript
Legoktm subscribed.Feb 12 2016, 5:23 AM

If you pip install requests[security], that should install the missing python libraries. We'd have to upgrade to 2.7.9 or higher for it to be fixed properly in Python.

valhallasw subscribed.Feb 12 2016, 8:25 AM

requests[security] installs:

extras_require={
     'security': ['pyOpenSSL>=0.13', 'ndg-httpsclient', 'pyasn1'],
 },

pyOpenSSL and pyasn1 are installed globally, but ndg-httpsclient is not (and there doesn't seem to be a package available). https://packages.debian.org/sid/python-ndg-httpsclient looks like it's a pure-python package, so we might be able to just install that .deb without manual backporting.

valhallasw added a comment.Feb 12 2016, 8:25 AM

(that won't help in your virtualenv, though, unless you created it with --system-site-packages)

Stashbot subscribed.Feb 12 2016, 5:41 PM

Mentioned in SAL [2016-02-12T17:41:03Z] <bd808> Upgraded to c599c8f to use requests[security] for SNI support (T126714)

bd808 closed this task as Resolved.Feb 12 2016, 5:42 PM
bd808 claimed this task.

Using requests[security] works like a charm. Thanks @Legoktm.

Restricted Application added a project: User-bd808. · View Herald TranscriptFeb 12 2016, 5:42 PM
bd808 moved this task from To Do to Archive on the User-bd808 board.Feb 21 2016, 8:54 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL