Bug#1054212: python-urllib3: Drop 02_require-cert-verification.patch (no longer needed)

Thu, 19 Oct 2023 03:33:16 -0700 

Source: python-urllib3
Version: 1.26.17-1
Severity: normal
X-Debbugs-Cc: jdstr...@ubuntu.com, secur...@ubuntu.com

Hi,

In the process of packaging a library, I ran into a test failure caused
by urllib3's 02_require-cert-verification.patch

It looks like this patch is no longer required, but given the security
implications, I'm not just going to commit to git, but rather ask for
input.

Several relevant changes were made in urllib3 since the authoring of
this patch:
1. urllib3.contrib.pyopenssl now uses the operating system's default CA
   certificates on inject.
   https://github.com/urllib3/urllib3/pull/332
2. When ca_certs is given, cert_reqs defaults to 'CERT_REQUIRED'.
   https://github.com/urllib3/urllib3/pull/650

With unpatched upstream urllib3 1.26.18 (not even 2.x):

>>> import urllib3
>>> http = urllib3.PoolManager()
>>> http.request("GET", "https://expired.badssl.com/";)
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate 
verify failed: certificate has expired (_ssl.c:1006)
>>> http.request("GET", "https://wrong.host.badssl.com/";)
urllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host='wrong.host.badssl.com', port=443): Max retries 
exceeded with url: / (Caused by SSLError(CertificateError("hostname 
'wrong.host.badssl.com' doesn't match either of '*.badssl.com', 'badssl.com'")))
>>> http.request("GET", "https://untrusted-root.badssl.com/";)
urllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host='untrusted-root.badssl.com', port=443): Max retries 
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate 
in certificate chain (_ssl.c:1006)')))
>>> http.request("GET", "https://self-signed.badssl.com/";)
urllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host='self-signed.badssl.com', port=443): Max retries 
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate 
(_ssl.c:1006)')))
>>> http.request("GET", "https://revoked.badssl.com/";)
urllib3.exceptions.MaxRetryError: 
HTTPSConnectionPool(host='revoked.badssl.com', port=443): Max retries exceeded 
with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: 
CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired 
(_ssl.c:1006)')))

How do you feel about dropping it?

Stefano

Reply via email to