certificate validation with IP address based SAN's fails

Bug #1771988 reported by James Page on 2018-05-18
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Undecided
Unassigned
Mitaka
High
James Page
python-urllib3 (Ubuntu)
High
Unassigned
Xenial
High
James Page

Bug Description

[Impact]
Users of urllib3 are unable to securely access websites who's certificates use IP based subject alternative names; this includes openstack client tooling which uses urllib3 via requests.

[Test Case]
Deploy and configure a server with TLS and an IP based SAN cert with a locally trusted CA.

import urllib3

http = urllib3.PoolManager()
r = http.request('GET', 'https://192.168.1.2')

will fail

[Regression Potential]
Cherry picked fix comes from a later urllib3 release which has tested fine for IP SAN usage in later OpenStack release deployments.

[Original Bug Report]
urllib3 fails to validate certificates with IP address based SAN's.

Fixed upstream: https://github.com/urllib3/urllib3/commit/c74bd70c3a97e30f0560bee9b7fa1bfc767ebf0b

Frode Nordahl (fnordahl) wrote :

Affects OpenStack releases <= Newton

This spec can be used to verify: https://github.com/openstack-charmers/openstack-mojo-specs/pull/13

James Page (james-page) on 2018-07-26
Changed in python-urllib3 (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Changed in python-urllib3 (Ubuntu Xenial):
importance: Undecided → High
status: New → Triaged
Changed in cloud-archive:
status: New → Fix Released
James Page (james-page) on 2018-08-20
description: updated
Changed in python-urllib3 (Ubuntu Xenial):
assignee: nobody → James Page (james-page)
status: Triaged → Fix Released
James Page (james-page) on 2018-08-20
description: updated
James Page (james-page) on 2018-08-20
Changed in python-urllib3 (Ubuntu Xenial):
status: Fix Released → In Progress
James Page (james-page) wrote :

Marking Newton task as Invalid as urllib3 does not form part of that UCA pocket (uses version from Xenial).

description: updated
no longer affects: cloud-archive/newton
James Page (james-page) wrote :

Uploaded to xenial proposed for SRU team review.

Eric Desrochers (slashd) on 2018-08-22
tags: added: sts

Hello James, or anyone else affected,

Accepted python-urllib3 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-urllib3/1.13.1-2ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-urllib3 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Eric Desrochers (slashd) wrote :

This has been brought to my attention by a user impacted by this bug:

"We tested the package in xenial-proposed and it worked great, thanks".

- Eric

tags: added: verification-done-xenial
removed: verification-needed-xenial

The verification of the Stable Release Update for python-urllib3 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-urllib3 - 1.13.1-2ubuntu0.16.04.2

---------------
python-urllib3 (1.13.1-2ubuntu0.16.04.2) xenial; urgency=medium

  * d/p/07_support_ip_sans.patch: Cherry pick fix to support use of
    IP based SAN's in TLS certificates (LP: #1771988).

 -- James Page <email address hidden> Mon, 20 Aug 2018 15:54:33 +0100

Changed in python-urllib3 (Ubuntu Xenial):
status: Fix Committed → Fix Released

Hello James, or anyone else affected,

Accepted python-urllib3 into mitaka-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:mitaka-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-mitaka-needed to verification-mitaka-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-mitaka-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-mitaka-needed

The verification of the Stable Release Update for python-urllib3 has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package python-urllib3 - 1.13.1-2ubuntu0.16.04.2~cloud0
---------------

 python-urllib3 (1.13.1-2ubuntu0.16.04.2~cloud0) trusty-mitaka; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-urllib3 (1.13.1-2ubuntu0.16.04.2) xenial; urgency=medium
 .
   * d/p/07_support_ip_sans.patch: Cherry pick fix to support use of
     IP based SAN's in TLS certificates (LP: #1771988).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers