python package does not depend on ca-certificates

Bug #1879310 reported by Christian Heimes on 2020-05-18
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
python3-defaults (Debian)
New
Unknown
python3.6 (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned
python3.8 (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned
Focal
Undecided
Unassigned

Bug Description

(Affects all Python versions)

Python has no dependency on ca-certificates. Installing Python on a minimal Debian or Ubuntu container image does not pull in ca-certificates. This results in certificate validation issues as no trust anchors are available. Python's ssl module and ssl.create_default_context() depend on default root CA packages being available.

Since Python 2.7.9 and 3.4.0 the ssl module encourages developers to use ssl.create_default_context() to create a working and securely configured SSL context object. The implementation assumes that the platform has a correctly configured OpenSSL libssl that can load the default trust anchors (root CA certificates) with SSL_CTX_set_default_verify_paths().

Reproducer:

# docker run -ti ubuntu:bionic /bin/bash
# apt-get update
# apt-get install -y python3

# ls -la /etc/ssl/certs/ca-certificates.crt
ls: cannot access '/etc/ssl/certs/ca-certificates.crt': No such file or directory
# dpkg -l ca-certificates
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============-============-============-=================================
un ca-certificates <none> <none> (no description available)

# python3 -c 'from urllib.request import urlopen; urlopen("https://www.python.org")'
Traceback (most recent call last):
...
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)>
# echo $?
1

# apt-get install -y ca-certificates
# python3 -c 'from urllib.request import urlopen; urlopen("https://www.python.org")'
root@seneca:/# echo $?
0

Proposed solution:
Either all Python interpreter packages or libssl should pull in ca-certificates.

I have reported the bug on Debian's bug tracker as well, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=960869

Changed in python3-defaults (Debian):
status: Unknown → New
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.