Bug#780059: youtube-dl: Forces SSLv3, incompatible with Python 2.7.9

2015-03-08 Thread Stefano Rivera 
Package: youtube-dl
Version: 2014.08.05-1
Severity: grave
Tags: patch
Justification: renders package unusable
Control: fixed -1 2015-01-16-1

Upstream is doing some crazy stuff with SSL. Fortunately, they admit this in
their git history, and have improved things since the 2014.08.05 release.

The protocol is forced to SSLv3, rather than negotiating the latest protocol
supported by both sides. There is a fallback path to negotiation, but it
doesn't work when PROTOCOL_SSLv3 isn't available in the Python ssl module (as
is the case, since 2.7.8-12).

The attached patch should fix the issue.

SR
Description: Support Python 2.7.9, which removed PROTOCOL_SSLv3
 In fact, don't try to force an SSL version at all. Debian OpenSSL doesn't
 support insecure versions.
 Upstream use Python's default SSL handshake since
 https://github.com/rg3/youtube-dl/commit/0db261ba567cb5370455d67c4398e11e5e2119f8
 And switches to TLSv1 in legacy paths in
 https://github.com/rg3/youtube-dl/commit/d79323136fabc2cd72afc7c124e17797e32df514
Author: Stefano Rivera stefa...@debian.org
Forwarded: not-needed
Last-Update: 2015-03-08

--- a/youtube_dl/utils.py
+++ b/youtube_dl/utils.py
@@ -588,17 +588,14 @@
 if getattr(self, '_tunnel_host', False):
 self.sock = sock
 self._tunnel()
-try:
-self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
-except ssl.SSLError:
-self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
+self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
 
 class HTTPSHandlerV3(compat_urllib_request.HTTPSHandler):
 def https_open(self, req):
 return self.do_open(HTTPSConnectionV3, req)
 return HTTPSHandlerV3(**kwargs)
 else:
-context = ssl.SSLContext(ssl.PROTOCOL_SSLv3)
+context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
 context.verify_mode = (ssl.CERT_NONE
if opts_no_check_certificate
else ssl.CERT_REQUIRED)

Bug#780059: youtube-dl: Forces SSLv3, incompatible with Python 2.7.9

2015-03-08 Thread Stefano Rivera 
Hi Debian (2015.03.08_14:32:19_-0700)
 The protocol is forced to SSLv3, rather than negotiating the latest protocol
 supported by both sides. There is a fallback path to negotiation, but it
 doesn't work when PROTOCOL_SSLv3 isn't available in the Python ssl module (as
 is the case, since 2.7.8-12).

I forgot to provide a stack trace:

[youtube] Setting language
Traceback (most recent call last):
  File /usr/bin/youtube-dl, line 9, in module
load_entry_point('youtube-dl==2014.08.05', 'console_scripts', 
'youtube-dl')()
  File /usr/lib/python2.7/dist-packages/youtube_dl/__init__.py, line 890, in 
main
_real_main(argv)
  File /usr/lib/python2.7/dist-packages/youtube_dl/__init__.py, line 880, in 
_real_main
retcode = ydl.download(all_urls)
  File /usr/lib/python2.7/dist-packages/youtube_dl/YoutubeDL.py, line 1052, 
in download
self.extract_info(url)
  File /usr/lib/python2.7/dist-packages/youtube_dl/YoutubeDL.py, line 516, in 
extract_info
ie_result = ie.extract(url)
  File /usr/lib/python2.7/dist-packages/youtube_dl/extractor/common.py, line 
169, in extract
self.initialize()
  File /usr/lib/python2.7/dist-packages/youtube_dl/extractor/common.py, line 
164, in initialize
self._real_initialize()
  File /usr/lib/python2.7/dist-packages/youtube_dl/extractor/youtube.py, line 
123, in _real_initialize
if not self._set_language():
  File /usr/lib/python2.7/dist-packages/youtube_dl/extractor/youtube.py, line 
50, in _set_language
fatal=False))
  File /usr/lib/python2.7/dist-packages/youtube_dl/extractor/common.py, line 
283, in _download_webpage
res = self._download_webpage_handle(url_or_request, video_id, note, 
errnote, fatal)
  File /usr/lib/python2.7/dist-packages/youtube_dl/extractor/common.py, line 
223, in _download_webpage_handle
urlh = self._request_webpage(url_or_request, video_id, note, errnote, fatal)
  File /usr/lib/python2.7/dist-packages/youtube_dl/extractor/common.py, line 
203, in _request_webpage
return self._downloader.urlopen(url_or_request)
  File /usr/lib/python2.7/dist-packages/youtube_dl/YoutubeDL.py, line 1231, 
in urlopen
return self._opener.open(req, timeout=self._socket_timeout)
  File /usr/lib/python2.7/urllib2.py, line 431, in open
response = self._open(req, data)
  File /usr/lib/python2.7/urllib2.py, line 449, in _open
'_open', req)
  File /usr/lib/python2.7/urllib2.py, line 409, in _call_chain
result = func(*args)
  File /usr/lib/python2.7/dist-packages/youtube_dl/utils.py, line 598, in 
https_open
return self.do_open(HTTPSConnectionV3, req)
  File /usr/lib/python2.7/urllib2.py, line 1194, in do_open
h.request(req.get_method(), req.get_selector(), req.data, headers)
  File /usr/lib/python2.7/httplib.py, line 1001, in request
self._send_request(method, url, body, headers)
  File /usr/lib/python2.7/httplib.py, line 1035, in _send_request
self.endheaders(body)
  File /usr/lib/python2.7/httplib.py, line 997, in endheaders
self._send_output(message_body)
  File /usr/lib/python2.7/httplib.py, line 850, in _send_output
self.send(msg)
  File /usr/lib/python2.7/httplib.py, line 812, in send
self.connect()
  File /usr/lib/python2.7/dist-packages/youtube_dl/utils.py, line 592, in 
connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, 
ssl_version=ssl.PROTOCOL_SSLv3)
AttributeError: 'module' object has no attribute 'PROTOCOL_SSLv3'

SR

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org