urllib3 does not do certificate verification by default

Bug #1047054 reported by Jamie Strandboge
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-urllib3 (Debian)
Fix Released
python-urllib3 (Ubuntu)

Bug Description

The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)

Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')

Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.

description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-urllib3 - 1.3-2ubuntu1

python-urllib3 (1.3-2ubuntu1) quantal; urgency=low

  * debian/patches/02_require-cert-verification.patch: verify SSL certificates
    by default (LP: #1047054)
 -- Jamie Strandboge <email address hidden> Thu, 06 Sep 2012 16:15:29 -0500

Changed in python-urllib3 (Ubuntu):
status: New → Fix Released
Changed in python-urllib3 (Debian):
status: Unknown → New
Changed in python-urllib3 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.