pip-installed python-request breaks SSL/TLS mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
devstack |
Fix Released
|
Undecided
|
Rob Crittenden |
Bug Description
The SSL/TLS code relies on the system-wide CA bundle to include the CA that issued the certificates used by the various services. This was done to stop the proliferation of CA file options being added to every server and client, and sometimes doubly so when a server would talk to other servers.
The problem is that if a newer version of python-requests is required than is provided by the underlying OS provider then the upstream version is installed by pip. The upstream version of python-requests defaults to using its own CA bundle. The per-distro versions are modified to return their distro-specific path.
This will eventually cause installation to fail due to untrusted SSL server certificates.
Changed in devstack: | |
assignee: | nobody → Rob Crittenden (rcritten) |
Changed in devstack: | |
status: | In Progress → Fix Released |
Fix proposed to branch: master /review. openstack. org/186545
Review: https:/