Python 2.7.9 breaks nova.tests.unit.test_wsgi.TestWSGIServerWithSSL.test_app_using_ipv6_and_ssl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Low
|
Corey Wright |
Bug Description
nova git version is 2014.2-
Python 2.7.9, with its securing the network by default (PEP 466), causes the test to fail:
URLError: <urlopen error [SSL: CERTIFICATE_
if i pass the test ca file through urlopen(), for academic purposes as it's not backwards compatible, i find that the server cert is ipv4 only:
Certificate
a new certificate is needed, but only the ca's public cert is provided, so the old ca is useless for signing a new ipv4 & ipv6 certificate.
if i create a new ca and a new certificate and switch to the responses python package (to enable ssl verification and full 2.7.x compatibility), then everything works and i have https:/
Changed in nova: | |
assignee: | nobody → Corey Wright (coreywright) |
Changed in nova: | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in nova: | |
status: | Confirmed → In Progress |
Changed in nova: | |
milestone: | none → kilo-2 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | kilo-2 → 2015.1.0 |
Reviewed: https:/ /review. openstack. org/143072 /git.openstack. org/cgit/ openstack/ nova/commit/ ?id=5b0cf8e0aab 88d96df5f0f07c6 a06974dd2d6c14
Committed: https:/
Submitter: Jenkins
Branch: master
commit 5b0cf8e0aab88d9 6df5f0f07c6a069 74dd2d6c14
Author: Corey Wright <email address hidden>
Date: Fri Dec 19 04:15:30 2014 -0600
Update WSGI SSL IPv6 test and SSL certificates
Switch the WSGI SSL IPv6 test from urllib2 to Requests because of
Python 2.7.9 changes and provide a server SSL certificate that
supports IPv6.
The test failed on Python 2.7.9 because Python now verifies SSL
connections by default (PEP 466) and the test CA certificate was not
provided to verify the SSL connection. Passing urllib2.urlopener the
test CA certificate through the new cafile parameter allows Python to
verify the SSL connection, but is not compatible with prior versions
of Python. Requests supports using a CA file regardless of Python 2.7
version.
Once using Requests and the test CA certificate to verify the SSL
connection the test continued to fail because the previous certificate
only specified an IPv4 address, specifically in the deprecated Common
Name field, which is unsuitable for verifying an IPv6 address.
Error: hostname '::1' doesn't match u'0.0.0.0'
A new certificate was created with a wildcard in the Common Name
field, but primarily depends on IPv4 and IPv6 localhost names and
addresses in the Subject Alternative Name field to accommodate a
variety of test scenarios and in line with industry practices (see RFC
2818).
The old CA's private key was not available to sign the new server
certificate so a new CA certificate was generated and it's public and
private keys are provided.
Closes-Bug: #1404390
Change-Id: I990d5b5b57d1b5 c569aa86828364b 3a762d149e1