OpenStack Compute (nova)

Python 2.7.9 breaks nova.tests.unit.test_wsgi.TestWSGIServerWithSSL.test_app_using_ipv6_and_ssl

Bug #1404390 reported by Corey Wright
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
Corey Wright
OpenStack Compute (nova) 2015.1.0 "kilo"

Bug Description

nova git version is 2014.2-1545-gd442187 (ie master as of now).

Python 2.7.9, with its securing the network by default (PEP 466), causes the test to fail:

    URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)>

if i pass the test ca file through urlopen(), for academic purposes as it's not backwards compatible, i find that the server cert is ipv4 only:

    CertificateError: hostname '::1' doesn't match u'0.0.0.0'

a new certificate is needed, but only the ca's public cert is provided, so the old ca is useless for signing a new ipv4 & ipv6 certificate.

if i create a new ca and a new certificate and switch to the responses python package (to enable ssl verification and full 2.7.x compatibility), then everything works and i have https://review.openstack.org/143072.

Revision history for this message
Corey Wright (coreywright) wrote :
Revision history for this message
Corey Wright (coreywright) wrote :
Corey Wright (coreywright)
Changed in nova:
assignee: nobody → Corey Wright (coreywright)
Joe Gordon (jogo)
Changed in nova:
status: New → Confirmed
importance: Undecided → Low
OpenStack Infra (hudson-openstack)
Changed in nova:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/143072
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=5b0cf8e0aab88d96df5f0f07c6a06974dd2d6c14
Submitter: Jenkins
Branch: master

commit 5b0cf8e0aab88d96df5f0f07c6a06974dd2d6c14
Author: Corey Wright <email address hidden>
Date: Fri Dec 19 04:15:30 2014 -0600

    Update WSGI SSL IPv6 test and SSL certificates

    Switch the WSGI SSL IPv6 test from urllib2 to Requests because of
    Python 2.7.9 changes and provide a server SSL certificate that
    supports IPv6.

    The test failed on Python 2.7.9 because Python now verifies SSL
    connections by default (PEP 466) and the test CA certificate was not
    provided to verify the SSL connection. Passing urllib2.urlopener the
    test CA certificate through the new cafile parameter allows Python to
    verify the SSL connection, but is not compatible with prior versions
    of Python. Requests supports using a CA file regardless of Python 2.7
    version.

    Once using Requests and the test CA certificate to verify the SSL
    connection the test continued to fail because the previous certificate
    only specified an IPv4 address, specifically in the deprecated Common
    Name field, which is unsuitable for verifying an IPv6 address.

        Error: hostname '::1' doesn't match u'0.0.0.0'

    A new certificate was created with a wildcard in the Common Name
    field, but primarily depends on IPv4 and IPv6 localhost names and
    addresses in the Subject Alternative Name field to accommodate a
    variety of test scenarios and in line with industry practices (see RFC
    2818).

    The old CA's private key was not available to sign the new server
    certificate so a new CA certificate was generated and it's public and
    private keys are provided.

    Closes-Bug: #1404390

    Change-Id: I990d5b5b57d1b5c569aa86828364b3a762d149e1

Changed in nova:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in nova:
milestone: none → kilo-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in nova:
milestone: kilo-2 → 2015.1.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.