urllib3 does not do certificate verification by default

Bug #1047054 reported by Jamie Strandboge on 2012-09-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python-urllib3 (Debian)
Fix Released
Unknown
python-urllib3 (Ubuntu)
Undecided
Unassigned

Bug Description

The following program (based on http://code.google.com/p/urllib3/wiki/Examples) can be easily MITMd:
#!/usr/bin/python
from urllib3 import HTTPSConnectionPool
http_pool = VerifiedHTTPSConnection('www.google.com')
r = http_pool.urlopen('GET', '/', redirect=False)
print r.status, r.headers.get('location')
r = http_pool.urlopen('GET', '/', redirect=True)
print r.status, len(r.data)

Changing it to use:
http_pool = HTTPSConnectionPool('www.google.com', cert_reqs='CERT_REQUIRED', ca_certs='/etc/ssl/certs/ca-certificates.crt')

Results in urllib3 properly verifying certificates. python-urllib3 should use secure defaults and perform certificate verification unless an application author tells it not to.

description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-urllib3 - 1.3-2ubuntu1

---------------
python-urllib3 (1.3-2ubuntu1) quantal; urgency=low

  * debian/patches/02_require-cert-verification.patch: verify SSL certificates
    by default (LP: #1047054)
 -- Jamie Strandboge <email address hidden> Thu, 06 Sep 2012 16:15:29 -0500

Changed in python-urllib3 (Ubuntu):
status: New → Fix Released
Changed in python-urllib3 (Debian):
status: Unknown → New
Changed in python-urllib3 (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.