Source: python-urllib3 Version: 1.26.17-1 Severity: normal X-Debbugs-Cc: jdstr...@ubuntu.com, secur...@ubuntu.com
Hi, In the process of packaging a library, I ran into a test failure caused by urllib3's 02_require-cert-verification.patch It looks like this patch is no longer required, but given the security implications, I'm not just going to commit to git, but rather ask for input. Several relevant changes were made in urllib3 since the authoring of this patch: 1. urllib3.contrib.pyopenssl now uses the operating system's default CA certificates on inject. https://github.com/urllib3/urllib3/pull/332 2. When ca_certs is given, cert_reqs defaults to 'CERT_REQUIRED'. https://github.com/urllib3/urllib3/pull/650 With unpatched upstream urllib3 1.26.18 (not even 2.x): >>> import urllib3 >>> http = urllib3.PoolManager() >>> http.request("GET", "https://expired.badssl.com/") ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1006) >>> http.request("GET", "https://wrong.host.badssl.com/") urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='wrong.host.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(CertificateError("hostname 'wrong.host.badssl.com' doesn't match either of '*.badssl.com', 'badssl.com'"))) >>> http.request("GET", "https://untrusted-root.badssl.com/") urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='untrusted-root.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1006)'))) >>> http.request("GET", "https://self-signed.badssl.com/") urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='self-signed.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)'))) >>> http.request("GET", "https://revoked.badssl.com/") urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='revoked.badssl.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1006)'))) How do you feel about dropping it? Stefano