Ubuntu
python-urllib3 package

certificate validation with IP address based SAN's fails

Bug #1771988 reported by James Page
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Fix Released
Undecided
Unassigned
Mitaka
Fix Released
High
James Page
python-urllib3 (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
High
James Page

Bug Description

[Impact]
Users of urllib3 are unable to securely access websites who's certificates use IP based subject alternative names; this includes openstack client tooling which uses urllib3 via requests.

[Test Case]
Deploy and configure a server with TLS and an IP based SAN cert with a locally trusted CA.

import urllib3

http = urllib3.PoolManager()
r = http.request('GET', 'https://192.168.1.2')

will fail

[Regression Potential]
Cherry picked fix comes from a later urllib3 release which has tested fine for IP SAN usage in later OpenStack release deployments.

[Original Bug Report]
urllib3 fails to validate certificates with IP address based SAN's.

Fixed upstream: https://github.com/urllib3/urllib3/commit/c74bd70c3a97e30f0560bee9b7fa1bfc767ebf0b

See original description
Revision history for this message
Frode Nordahl (fnordahl) wrote :

Affects OpenStack releases <= Newton

This spec can be used to verify: https://github.com/openstack-charmers/openstack-mojo-specs/pull/13

James Page (james-page)
Changed in python-urllib3 (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Changed in python-urllib3 (Ubuntu Xenial):
importance: Undecided → High
status: New → Triaged
Changed in cloud-archive:
status: New → Fix Released
James Page (james-page)
description: updated
Changed in python-urllib3 (Ubuntu Xenial):
assignee: nobody → James Page (james-page)
status: Triaged → Fix Released
James Page (james-page)
description: updated
James Page (james-page)
Changed in python-urllib3 (Ubuntu Xenial):
status: Fix Released → In Progress
Revision history for this message
James Page (james-page) wrote :

Marking Newton task as Invalid as urllib3 does not form part of that UCA pocket (uses version from Xenial).

description: updated
no longer affects: cloud-archive/newton
Revision history for this message
James Page (james-page) wrote :

Uploaded to xenial proposed for SRU team review.

Eric Desrochers (slashd)
tags: added: sts
Revision history for this message
Robie Basak (racb) wrote : Please test proposed package

Hello James, or anyone else affected,

Accepted python-urllib3 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-urllib3/1.13.1-2ubuntu0.16.04.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in python-urllib3 (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-xenial
Revision history for this message
Eric Desrochers (slashd) wrote :

This has been brought to my attention by a user impacted by this bug:

"We tested the package in xenial-proposed and it worked great, thanks".

- Eric

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for python-urllib3 has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-urllib3 - 1.13.1-2ubuntu0.16.04.2

---------------
python-urllib3 (1.13.1-2ubuntu0.16.04.2) xenial; urgency=medium

  * d/p/07_support_ip_sans.patch: Cherry pick fix to support use of
    IP based SAN's in TLS certificates (LP: #1771988).

 -- James Page <email address hidden> Mon, 20 Aug 2018 15:54:33 +0100

Changed in python-urllib3 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
James Page (james-page) wrote : Please test proposed package

Hello James, or anyone else affected,

Accepted python-urllib3 into mitaka-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:mitaka-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-mitaka-needed to verification-mitaka-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-mitaka-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-mitaka-needed
Revision history for this message
Corey Bryant (corey.bryant) wrote : Update Released

The verification of the Stable Release Update for python-urllib3 has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package python-urllib3 - 1.13.1-2ubuntu0.16.04.2~cloud0
---------------

 python-urllib3 (1.13.1-2ubuntu0.16.04.2~cloud0) trusty-mitaka; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 python-urllib3 (1.13.1-2ubuntu0.16.04.2) xenial; urgency=medium
 .
   * d/p/07_support_ip_sans.patch: Cherry pick fix to support use of
     IP based SAN's in TLS certificates (LP: #1771988).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.