2019-03-14 15:56:16 |
Dan Streetman |
bug |
|
|
added bug |
2019-03-14 15:56:26 |
Dan Streetman |
nominated for series |
|
Ubuntu Cosmic |
|
2019-03-14 15:56:26 |
Dan Streetman |
bug task added |
|
python-etcd3gw (Ubuntu Cosmic) |
|
2019-03-14 15:56:26 |
Dan Streetman |
nominated for series |
|
Ubuntu Disco |
|
2019-03-14 15:56:26 |
Dan Streetman |
bug task added |
|
python-etcd3gw (Ubuntu Disco) |
|
2019-03-14 15:56:26 |
Dan Streetman |
nominated for series |
|
Ubuntu Bionic |
|
2019-03-14 15:56:26 |
Dan Streetman |
bug task added |
|
python-etcd3gw (Ubuntu Bionic) |
|
2019-03-14 15:56:32 |
Dan Streetman |
python-etcd3gw (Ubuntu Bionic): importance |
Undecided |
Medium |
|
2019-03-14 15:56:33 |
Dan Streetman |
python-etcd3gw (Ubuntu Cosmic): importance |
Undecided |
Medium |
|
2019-03-14 15:56:35 |
Dan Streetman |
python-etcd3gw (Ubuntu Disco): importance |
Undecided |
Medium |
|
2019-03-14 15:56:36 |
Dan Streetman |
python-etcd3gw (Ubuntu Disco): status |
New |
In Progress |
|
2019-03-14 15:56:38 |
Dan Streetman |
python-etcd3gw (Ubuntu Cosmic): status |
New |
In Progress |
|
2019-03-14 15:56:40 |
Dan Streetman |
python-etcd3gw (Ubuntu Bionic): status |
New |
In Progress |
|
2019-03-14 15:56:41 |
Dan Streetman |
python-etcd3gw (Ubuntu Disco): assignee |
|
Dan Streetman (ddstreet) |
|
2019-03-14 15:56:46 |
Dan Streetman |
python-etcd3gw (Ubuntu Bionic): assignee |
|
Dan Streetman (ddstreet) |
|
2019-03-14 15:56:47 |
Dan Streetman |
python-etcd3gw (Ubuntu Cosmic): assignee |
|
Dan Streetman (ddstreet) |
|
2020-03-27 21:03:21 |
Dan Streetman |
description |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
TBD
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0 |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
TBD
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. |
|
2020-03-27 21:03:31 |
Dan Streetman |
python-etcd3gw (Ubuntu Cosmic): status |
In Progress |
Won't Fix |
|
2020-03-27 21:03:33 |
Dan Streetman |
python-etcd3gw (Ubuntu Disco): status |
In Progress |
Won't Fix |
|
2020-03-27 21:03:38 |
Dan Streetman |
nominated for series |
|
Ubuntu Focal |
|
2020-03-27 21:03:38 |
Dan Streetman |
bug task added |
|
python-etcd3gw (Ubuntu Focal) |
|
2020-03-27 21:03:38 |
Dan Streetman |
nominated for series |
|
Ubuntu Eoan |
|
2020-03-27 21:03:38 |
Dan Streetman |
bug task added |
|
python-etcd3gw (Ubuntu Eoan) |
|
2020-03-27 21:03:48 |
Dan Streetman |
python-etcd3gw (Ubuntu Focal): status |
In Progress |
New |
|
2020-03-27 21:03:50 |
Dan Streetman |
python-etcd3gw (Ubuntu Bionic): status |
In Progress |
New |
|
2020-03-27 21:03:53 |
Dan Streetman |
python-etcd3gw (Ubuntu Bionic): assignee |
Dan Streetman (ddstreet) |
|
|
2020-03-27 21:03:54 |
Dan Streetman |
python-etcd3gw (Ubuntu Cosmic): assignee |
Dan Streetman (ddstreet) |
|
|
2020-03-27 21:03:56 |
Dan Streetman |
python-etcd3gw (Ubuntu Disco): assignee |
Dan Streetman (ddstreet) |
|
|
2020-03-27 21:03:58 |
Dan Streetman |
python-etcd3gw (Ubuntu Focal): assignee |
Dan Streetman (ddstreet) |
|
|
2020-03-27 21:04:03 |
Dan Streetman |
python-etcd3gw (Ubuntu Eoan): importance |
Undecided |
Medium |
|
2020-03-27 21:04:11 |
Dan Streetman |
tags |
|
sts |
|
2020-03-30 17:45:14 |
Dan Streetman |
tags |
sts |
sts sts-sponsor-volunteer |
|
2020-08-18 16:58:43 |
Brian Murray |
python-etcd3gw (Ubuntu Eoan): status |
New |
Won't Fix |
|
2020-11-10 23:15:31 |
Heather Lemon |
python-etcd3gw (Ubuntu Bionic): assignee |
|
Heather Lemon (hypothetical-lemon) |
|
2020-11-10 23:15:34 |
Heather Lemon |
python-etcd3gw (Ubuntu Focal): assignee |
|
Heather Lemon (hypothetical-lemon) |
|
2020-11-12 23:26:49 |
Heather Lemon |
python-etcd3gw (Ubuntu Bionic): status |
New |
In Progress |
|
2020-11-12 23:26:51 |
Heather Lemon |
python-etcd3gw (Ubuntu Focal): status |
New |
In Progress |
|
2020-12-09 18:57:17 |
Heather Lemon |
nominated for series |
|
Ubuntu Hirsute |
|
2020-12-09 18:57:17 |
Heather Lemon |
bug task added |
|
python-etcd3gw (Ubuntu Hirsute) |
|
2020-12-09 18:57:17 |
Heather Lemon |
nominated for series |
|
Ubuntu Groovy |
|
2020-12-09 18:57:17 |
Heather Lemon |
bug task added |
|
python-etcd3gw (Ubuntu Groovy) |
|
2021-01-04 17:32:21 |
Heather Lemon |
attachment added |
|
lp1820083-tlsparams-bionic.debdiff https://bugs.launchpad.net/ubuntu/bionic/+source/python-etcd3gw/+bug/1820083/+attachment/5449229/+files/lp1820083-tlsparams-bionic.debdiff |
|
2021-01-04 18:46:08 |
Heather Lemon |
attachment added |
|
lp1820083-focal-tlsparams.debdiff https://bugs.launchpad.net/ubuntu/bionic/+source/python-etcd3gw/+bug/1820083/+attachment/5449249/+files/lp1820083-focal-tlsparams.debdiff |
|
2021-01-04 20:31:16 |
Ubuntu Foundations Team Bug Bot |
tags |
sts sts-sponsor-volunteer |
patch sts sts-sponsor-volunteer |
|
2021-01-04 20:31:25 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2021-01-07 20:30:31 |
Heather Lemon |
description |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
TBD
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
create self signed certs
-----
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
download binaries & launch etcd locally with TLS enabled
----
cd ~
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~
rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health
if successful,
{"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health")
print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server
unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
related etcd error:
I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. |
|
2021-01-08 14:31:57 |
Heather Lemon |
description |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
create self signed certs
-----
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
download binaries & launch etcd locally with TLS enabled
----
cd ~
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~
rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health
if successful,
{"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health")
print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server
unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
related etcd error:
I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
I am currently updating the unit test to include testing of TLS params
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. |
|
2021-01-09 09:29:14 |
Mathew Hodson |
python-etcd3gw (Ubuntu Groovy): importance |
Undecided |
Medium |
|
2021-01-19 04:56:46 |
Mathew Hodson |
python-etcd3gw (Ubuntu Hirsute): status |
New |
Fix Released |
|
2021-02-09 15:36:38 |
Heather Lemon |
description |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
I am currently updating the unit test to include testing of TLS params
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. |
|
2021-02-09 15:37:30 |
Heather Lemon |
description |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[test case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[regression potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic, Eoan, and Focal. This package was not included in Xenial. |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[Regression Potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-09 15:37:39 |
Heather Lemon |
description |
[impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[Regression Potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[Regression Potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-09 15:40:21 |
Heather Lemon |
description |
[Impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[Regression Potential]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Scope]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other Info]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-09 15:40:29 |
Heather Lemon |
description |
[Impact]
a connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other Info]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other Info]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-09 19:32:04 |
Heather Lemon |
python-etcd3gw (Ubuntu Groovy): status |
New |
Triaged |
|
2021-02-09 19:32:09 |
Heather Lemon |
python-etcd3gw (Ubuntu Groovy): status |
Triaged |
In Progress |
|
2021-02-09 19:32:13 |
Heather Lemon |
python-etcd3gw (Ubuntu Groovy): assignee |
|
Heather Lemon (hypothetical-lemon) |
|
2021-02-16 21:31:26 |
Heather Lemon |
attachment added |
|
lp1820083-set-tls-groovy.debdiff https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464269/+files/lp1820083-set-tls-groovy.debdiff |
|
2021-02-16 21:40:39 |
Heather Lemon |
attachment removed |
lp1820083-set-tls-groovy.debdiff https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464269/+files/lp1820083-set-tls-groovy.debdiff |
|
|
2021-02-16 21:41:04 |
Heather Lemon |
attachment added |
|
lp1820083-set-tls-groovy.debdiff https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464270/+files/lp1820083-set-tls-groovy.debdiff |
|
2021-02-16 23:36:25 |
Heather Lemon |
attachment removed |
lp1820083-tlsparams-bionic.debdiff https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5449229/+files/lp1820083-tlsparams-bionic.debdiff |
|
|
2021-02-16 23:37:12 |
Heather Lemon |
attachment added |
|
lp1820083-Set-transport-options-bionic.debdiff https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464369/+files/lp1820083-Set-transport-options-bionic.debdiff |
|
2021-02-16 23:37:35 |
Heather Lemon |
attachment removed |
lp1820083-focal-tlsparams.debdiff https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5449249/+files/lp1820083-focal-tlsparams.debdiff |
|
|
2021-02-16 23:44:52 |
Heather Lemon |
attachment added |
|
lp1820083-Set-transport-options-focal.debdiff https://bugs.launchpad.net/ubuntu/groovy/+source/python-etcd3gw/+bug/1820083/+attachment/5464370/+files/lp1820083-Set-transport-options-focal.debdiff |
|
2021-02-17 17:53:23 |
Dan Streetman |
bug |
|
|
added subscriber STS Sponsors |
2021-02-17 17:53:28 |
Dan Streetman |
tags |
patch sts sts-sponsor-volunteer |
patch sts sts-sponsor-ddstreet |
|
2021-02-17 18:18:13 |
Dan Streetman |
tags |
patch sts sts-sponsor-ddstreet |
patch sts sts-sponsor-slashd |
|
2021-02-17 18:38:19 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
We will be backporting this as part of the python-etcd3gw from upstream debian maintainers who bumped the version from 0.2.1-3 to 0.2.5-1
Running the additional unit tests provided for this would be enough to trigger the raised exception.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other Info]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
[Test Case]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~ rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other Info]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-17 18:38:48 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
[Test Case]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~ rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other Info]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~ rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other Info]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-17 18:39:09 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~ rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other Info]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~ rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 14:19:05 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Case]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~ rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~ rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 16:54:23 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
cd ~ wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/
sudo mv etcd etcdctl /usr/bin/
cd ~ rm -rf etcd-v3.3.14-linux-amd64*
*note I named my directory infra0
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health
if successful, {"health": "true"}
touch test_client.py
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 16:54:45 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health
if successful, {"health": "true"}
touch test_client.py
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health
if successful, {"health": "true"}
touch test_client.py
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 17:39:32 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://localhost:2379/health
if successful, {"health": "true"}
touch test_client.py
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
# spin up etcd server
etcd &
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Add a new unit test
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 18:06:58 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
# spin up etcd server
etcd &
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Add a new unit test
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health") print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
# spin up etcd server
etcd &
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Add a new unit test
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health")
print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 22:20:52 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
# spin up etcd server
etcd &
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Add a new unit test
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health")
print(response)
```
Run the newly added unit test
python3.8 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
# spin up etcd server
etcd &
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Add a new unit test
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health")
print(response)
```
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 23:45:16 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
# spin up etcd server
etcd &
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Add a new unit test
```
def test_client_tls(self):
client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10)
response = client.get("/health")
print(response)
```
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
# spin up etcd server
etcd &
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 23:46:59 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
# spin up etcd server
etcd &
test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
if successful, {"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 23:48:34 |
Heather Lemon |
attachment added |
|
test_client.py https://bugs.launchpad.net/ubuntu/focal/+source/python-etcd3gw/+bug/1820083/+attachment/5467262/+files/test_client.py |
|
2021-02-25 23:51:42 |
Heather Lemon |
attachment added |
|
0001-create-new-unit-test-for-https-etcd-server.patch https://bugs.launchpad.net/ubuntu/focal/+source/python-etcd3gw/+bug/1820083/+attachment/5467263/+files/0001-create-new-unit-test-for-https-etcd-server.patch |
|
2021-02-25 23:54:36 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
.
----------------------------------------------------------------------
Ran 1 test in 0.107s
OK
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
|
2021-02-25 23:57:10 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
.
----------------------------------------------------------------------
Ran 1 test in 0.107s
OK
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionicand Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
.
----------------------------------------------------------------------
Ran 1 test in 0.107s
OK
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-02 17:37:51 |
Heather Lemon |
attachment removed |
lp1820083-set-tls-groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5464270/+files/lp1820083-set-tls-groovy.debdiff |
|
|
2021-03-02 17:38:02 |
Heather Lemon |
attachment removed |
lp1820083-Set-transport-options-bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5464369/+files/lp1820083-Set-transport-options-bionic.debdiff |
|
|
2021-03-02 17:38:11 |
Heather Lemon |
attachment removed |
lp1820083-Set-transport-options-focal.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5464370/+files/lp1820083-Set-transport-options-focal.debdiff |
|
|
2021-03-02 17:38:27 |
Heather Lemon |
attachment removed |
test_client.py https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5467262/+files/test_client.py |
|
|
2021-03-02 17:38:40 |
Heather Lemon |
attachment removed |
0001-create-new-unit-test-for-https-etcd-server.patch https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5467263/+files/0001-create-new-unit-test-for-https-etcd-server.patch |
|
|
2021-03-02 17:40:35 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params-focal.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471964/+files/lp1820083-tls-params-focal.debdiff |
|
2021-03-02 18:01:15 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params-groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471966/+files/lp1820083-tls-params-groovy.debdiff |
|
2021-03-02 19:12:25 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params-bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471977/+files/lp1820083-tls-params-bionic.debdiff |
|
2021-03-02 19:18:15 |
Heather Lemon |
attachment removed |
lp1820083-tls-params-groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471966/+files/lp1820083-tls-params-groovy.debdiff |
|
|
2021-03-02 19:19:01 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params-groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471978/+files/lp1820083-tls-params-groovy.debdiff |
|
2021-03-02 19:22:36 |
Heather Lemon |
attachment removed |
lp1820083-tls-params-focal.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471964/+files/lp1820083-tls-params-focal.debdiff |
|
|
2021-03-02 19:23:20 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params-focal.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471981/+files/lp1820083-tls-params-focal.debdiff |
|
2021-03-02 19:33:27 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
.
----------------------------------------------------------------------
Ran 1 test in 0.107s
OK
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
There are two test workflows to follow.
- testing the patch with self signed certs and etcd server running locally
- running newly created unit tests for TLS params
-----
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
View test changes inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test, or run the whole test suite with:
python3 unittest
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
.
----------------------------------------------------------------------
Ran 1 test in 0.107s
OK
[Where Problems Could Occur]
-failed tls connections
-failed unit tests
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
Unit test failures. Created a new unit test for testing the TLS session parameters. This also creates a mock etcd server to connect and test certification information of self signed certs.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-03 22:43:34 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
There are two test workflows to follow.
- testing the patch with self signed certs and etcd server running locally
- running newly created unit tests for TLS params
-----
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
View test changes inside of ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
Run the newly added unit test, or run the whole test suite with:
python3 unittest
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
.
----------------------------------------------------------------------
Ran 1 test in 0.107s
OK
[Where Problems Could Occur]
-failed tls connections
-failed unit tests
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
Unit test failures. Created a new unit test for testing the TLS session parameters. This also creates a mock etcd server to connect and test certification information of self signed certs.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", cert_key="/root/etcdserver.key",
cert_cert="/root/etcdserver.crt", timeout=10)
client.create("foo", value="bar")
client.get("foo")
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
.
----------------------------------------------------------------------
Ran 1 test in 0.107s
OK
---------
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-04 15:45:17 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt", cert_key="/root/etcdserver.key",
cert_cert="/root/etcdserver.crt", timeout=10)
client.create("foo", value="bar")
client.get("foo")
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/home/heather/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.)
warnings.warn(
127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 -
.
----------------------------------------------------------------------
Ran 1 test in 0.107s
OK
---------
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/home/heather/etcdserver.crt",
cert_key="/home/heather/etcdserver.key",
cert_cert="/home/heather/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-04 15:53:37 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/home/heather/etcdserver.crt",
cert_key="/home/heather/etcdserver.key",
cert_cert="/home/heather/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
If you are testing with the added unit test, then make sure there is no etcd server running already.
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/home/heather/etcdserver.crt",
cert_key="/home/heather/etcdserver.key",
cert_cert="/home/heather/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
# error in etcd
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
error in unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
E
======================================================================
ERROR: test_client_tls (test_client.TestEtcd3Gateway)
test_client.TestEtcd3Gateway.test_client_tls
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post
resp = self.session.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests/test_client.py", line 186, in test_client_tls
client.create("foo2", value="bar2")
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 175, in create
result = self.transaction(txn)
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 350, in transaction
data=json.dumps(txn))
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 100, in post
raise exceptions.ConnectionFailedError(six.text_type(ex))
etcd3gw.exceptions.ConnectionFailedError
----------------------------------------------------------------------
Ran 1 test in 0.023s
FAILED (errors=1)
# ran unit test again with patch fix
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-04 16:55:41 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/home/heather/etcdserver.crt",
cert_key="/home/heather/etcdserver.key",
cert_cert="/home/heather/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
# error in etcd
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
error in unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
E
======================================================================
ERROR: test_client_tls (test_client.TestEtcd3Gateway)
test_client.TestEtcd3Gateway.test_client_tls
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post
resp = self.session.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests/test_client.py", line 186, in test_client_tls
client.create("foo2", value="bar2")
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 175, in create
result = self.transaction(txn)
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 350, in transaction
data=json.dumps(txn))
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 100, in post
raise exceptions.ConnectionFailedError(six.text_type(ex))
etcd3gw.exceptions.ConnectionFailedError
----------------------------------------------------------------------
Ran 1 test in 0.023s
FAILED (errors=1)
# ran unit test again with patch fix
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt",
cert_key="/root/etcdserver.key",
cert_cert="/root/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
# error in etcd
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
error in unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
E
======================================================================
ERROR: test_client_tls (test_client.TestEtcd3Gateway)
test_client.TestEtcd3Gateway.test_client_tls
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post
resp = self.session.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests/test_client.py", line 186, in test_client_tls
client.create("foo2", value="bar2")
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 175, in create
result = self.transaction(txn)
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 350, in transaction
data=json.dumps(txn))
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 100, in post
raise exceptions.ConnectionFailedError(six.text_type(ex))
etcd3gw.exceptions.ConnectionFailedError
----------------------------------------------------------------------
Ran 1 test in 0.023s
FAILED (errors=1)
# ran unit test again with patch fix
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-04 16:56:19 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt",
cert_key="/root/etcdserver.key",
cert_cert="/root/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
# error in etcd
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
error in unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
E
======================================================================
ERROR: test_client_tls (test_client.TestEtcd3Gateway)
test_client.TestEtcd3Gateway.test_client_tls
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post
resp = self.session.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests/test_client.py", line 186, in test_client_tls
client.create("foo2", value="bar2")
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 175, in create
result = self.transaction(txn)
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 350, in transaction
data=json.dumps(txn))
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 100, in post
raise exceptions.ConnectionFailedError(six.text_type(ex))
etcd3gw.exceptions.ConnectionFailedError
----------------------------------------------------------------------
Ran 1 test in 0.023s
FAILED (errors=1)
# ran unit test again with patch fix
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
to add this unit test.
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt",
cert_key="/root/etcdserver.key",
cert_cert="/root/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
# error in etcd
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
error in unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
E
======================================================================
ERROR: test_client_tls (test_client.TestEtcd3Gateway)
test_client.TestEtcd3Gateway.test_client_tls
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post
resp = self.session.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests/test_client.py", line 186, in test_client_tls
client.create("foo2", value="bar2")
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 175, in create
result = self.transaction(txn)
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 350, in transaction
data=json.dumps(txn))
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 100, in post
raise exceptions.ConnectionFailedError(six.text_type(ex))
etcd3gw.exceptions.ConnectionFailedError
----------------------------------------------------------------------
Ran 1 test in 0.023s
FAILED (errors=1)
# ran unit test again with patch fix
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-04 20:34:36 |
Heather Lemon |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
to add this unit test.
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt",
cert_key="/root/etcdserver.key",
cert_cert="/root/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
# error in etcd
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
error in unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
E
======================================================================
ERROR: test_client_tls (test_client.TestEtcd3Gateway)
test_client.TestEtcd3Gateway.test_client_tls
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post
resp = self.session.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests/test_client.py", line 186, in test_client_tls
client.create("foo2", value="bar2")
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 175, in create
result = self.transaction(txn)
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 350, in transaction
data=json.dumps(txn))
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 100, in post
raise exceptions.ConnectionFailedError(six.text_type(ex))
etcd3gw.exceptions.ConnectionFailedError
----------------------------------------------------------------------
Ran 1 test in 0.023s
FAILED (errors=1)
# ran unit test again with patch fix
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
to add this unit test.
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt",
cert_key="/root/etcdserver.key",
cert_cert="/root/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo", "bar")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
# error in etcd
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
error in unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
E
======================================================================
ERROR: test_client_tls (test_client.TestEtcd3Gateway)
test_client.TestEtcd3Gateway.test_client_tls
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post
resp = self.session.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests/test_client.py", line 186, in test_client_tls
client.create("foo2", value="bar2")
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 175, in create
result = self.transaction(txn)
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 350, in transaction
data=json.dumps(txn))
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 100, in post
raise exceptions.ConnectionFailedError(six.text_type(ex))
etcd3gw.exceptions.ConnectionFailedError
----------------------------------------------------------------------
Ran 1 test in 0.023s
FAILED (errors=1)
# ran unit test again with patch fix
# adds new server to trusted ca list
sudo cp server.crt /usr/share/ca-certificates/
sudo dpkg-reconfigure ca-certificates
press spcaebar to select the cert and tab, enter to save
or run `sudo update-ca-certificates` does the same thing.
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-04 21:20:12 |
Heather Lemon |
tags |
patch sts sts-sponsor-slashd |
patch sts sts-sponser sts-sponsor-slashd |
|
2021-03-09 14:16:24 |
Dan Streetman |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs
openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr
*make sure the key has an empty password
#download binaries & launch etcd locally with TLS enabled
wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz
tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz
cd etcd-v3.3.14-linux-amd64/
sudo cp etcd etcdctl /usr/bin/
# spin up ectd server
etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379
*note I named my directory infra0
#test connection with health endpoint:
curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health
#if successful, the etcd server is configured with https
{"health": "true"}
Modify ~/python-etcd3gw-0.2.1/etcd3gw/tests/test_client.py
to add this unit test.
def test_client_tls(self):
client = Etcd3Client(host="127.0.0.1", protocol="https", ca_cert="/root/etcdserver.crt",
cert_key="/root/etcdserver.key",
cert_cert="/root/etcdserver.crt",
timeout=10)
client.create("foo", value="bar")
client.put("foo", "bar")
resp = client.get("foo")
print(resp)
# Run the newly added unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
We get an error in both the unit test and an error from the etcd server unit test error we are looking for:
# error in etcd
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "")
error in unit test
python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
E
======================================================================
ERROR: test_client_tls (test_client.TestEtcd3Gateway)
test_client.TestEtcd3Gateway.test_client_tls
----------------------------------------------------------------------
testtools.testresult.real._StringException: Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 601, in urlopen
chunked=chunked)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 346, in _make_request
self._validate_conn(conn)
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 852, in _validate_conn
conn.connect()
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 340, in connect
ssl_context=context)
File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 332, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File "/usr/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/usr/lib/python3.6/ssl.py", line 817, in __init__
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 440, in send
timeout=timeout
File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 398, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 89, in post
resp = self.session.post(*args, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 567, in post
return self.request('POST', url, data=data, json=json, **kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 520, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3/dist-packages/requests/sessions.py", line 630, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3/dist-packages/requests/adapters.py", line 506, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='127.0.0.1', port=2379): Max retries exceeded with url: /v3alpha/kv/txn (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/root/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests/test_client.py", line 186, in test_client_tls
client.create("foo2", value="bar2")
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 175, in create
result = self.transaction(txn)
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 350, in transaction
data=json.dumps(txn))
File "/usr/local/lib/python3.6/dist-packages/etcd3gw/client.py", line 100, in post
raise exceptions.ConnectionFailedError(six.text_type(ex))
etcd3gw.exceptions.ConnectionFailedError
----------------------------------------------------------------------
Ran 1 test in 0.023s
FAILED (errors=1)
# ran unit test again with patch fix
# adds new server to trusted ca list
sudo cp server.crt /usr/share/ca-certificates/
sudo dpkg-reconfigure ca-certificates
press spcaebar to select the cert and tab, enter to save
or run `sudo update-ca-certificates` does the same thing.
Unit test console output:
root@ubuntu-bionic:~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests# python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls
/usr/lib/python3/dist-packages/urllib3/connection.py:358: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning
[b'bar']
/usr/lib/python3/dist-packages/testtools/testcase.py:719: ResourceWarning: unclosed <ssl.SSLSocket fd=3, family=AddressFamily.AF_INET, type=SocketKind.SOCK_STREAM, proto=6, laddr=('127.0.0.1', 38392), raddr=('127.0.0.1', 2379)>
return self._get_test_method()()
.
----------------------------------------------------------------------
Ran 1 test in 0.048s
OK
The unit test I've made is an echo of the test_client.py code we've just updated.
#
Testing out the new unit test from the source code changes.
I have added a new unit test that tests the setting of TLS params.
You can run the unit test with:
python3 -m unittest
again make sure there's no etcd server already running.
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs, using the default for all prompts
$ openssl req -addext "subjectAltName = DNS:localhost" -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt
# install 'etcd' package, stop the default server, and spin up ectd server
$ sudo apt install etcd
$ sudo systemctl stop etcd
$ etcd --name test --data-dir test --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://localhost:2379 --listen-client-urls=https://localhost:2379
# run test script
$ cat test.py
#!/usr/bin/python3
from etcd3gw import Etcd3Client
c = Etcd3Client(host="localhost", protocol="https", cert_key="localhost.key", cert_cert="localhost.crt", ca_cert="localhost.crt", timeout=10)
c.put('test', 'success!')
resp = c.get('test')
print(b''.join(resp).decode())
$ ./test.py
success!
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
|
2021-03-09 14:19:00 |
Dan Streetman |
description |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs, using the default for all prompts
$ openssl req -addext "subjectAltName = DNS:localhost" -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt
# install 'etcd' package, stop the default server, and spin up ectd server
$ sudo apt install etcd
$ sudo systemctl stop etcd
$ etcd --name test --data-dir test --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://localhost:2379 --listen-client-urls=https://localhost:2379
# run test script
$ cat test.py
#!/usr/bin/python3
from etcd3gw import Etcd3Client
c = Etcd3Client(host="localhost", protocol="https", cert_key="localhost.key", cert_cert="localhost.crt", ca_cert="localhost.crt", timeout=10)
c.put('test', 'success!')
resp = c.get('test')
print(b''.join(resp).decode())
$ ./test.py
success!
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2, which is not yet pulled into Debian, so this patch is needed in Debian, as well as Bionic and Focal. This package was not included in Xenial. |
[Impact]
A connection session is opened, but the TLS parameters (timeout, ca, cert and key) are not actually set for the session. This prevents use of TLS for the etcd3gw package.
[Test Plan]
# Create self signed certs, using the default for all prompts
$ openssl req -addext "subjectAltName = DNS:localhost" -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt
# install 'etcd' package, stop the default server, and spin up ectd server
$ sudo apt install etcd
$ sudo systemctl stop etcd
$ etcd --name test --data-dir test --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://localhost:2379 --listen-client-urls=https://localhost:2379
# run test script
$ cat test.py
#!/usr/bin/python3
from etcd3gw import Etcd3Client
c = Etcd3Client(host="localhost", protocol="https", cert_key="localhost.key", cert_cert="localhost.crt", ca_cert="localhost.crt", timeout=10)
c.put('test', 'success!')
resp = c.get('test')
print(b''.join(resp).decode())
$ ./test.py
success!
[Where Problems Could Occur]
This adds TLS parameters (if provided) to the session, so regressions would involve failed connections, possibly those without TLS that had TLS params incorrectly provided before.
[Other]
the upstream bug is https://github.com/dims/etcd3-gateway/issues/20
fixed upstream with pull request https://github.com/dims/etcd3-gateway/pull/21
via commit 90b7a19cdc4daa1230d7f15c10b113abdefdc8c0
that commit is contained in version 0.2.2 which is already in h, so this is needed in b/f/g. This package was not included in Xenial. |
|
2021-06-01 17:22:31 |
Eric Desrochers |
removed subscriber STS Sponsors |
|
|
|
2021-07-28 23:13:14 |
Brian Murray |
python-etcd3gw (Ubuntu Groovy): status |
In Progress |
Won't Fix |
|
2021-10-14 23:55:38 |
Dan Streetman |
tags |
patch sts sts-sponser sts-sponsor-slashd |
patch sts sts-sponsor sts-sponsor-slashd |
|
2021-10-14 23:55:48 |
Dan Streetman |
bug |
|
|
added subscriber STS Sponsors |
2021-10-15 01:43:22 |
Dan Streetman |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2021-10-15 15:38:26 |
Eric Desrochers |
python-etcd3gw (Ubuntu Groovy): assignee |
Heather Lemon (hypothetical-lemon) |
|
|
2021-10-27 14:40:10 |
Heather Lemon |
attachment removed |
lp1820083-tls-params-focal.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471981/+files/lp1820083-tls-params-focal.debdiff |
|
|
2021-10-27 14:40:24 |
Heather Lemon |
attachment removed |
lp1820083-tls-params-groovy.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471978/+files/lp1820083-tls-params-groovy.debdiff |
|
|
2021-10-27 14:42:32 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params-focal.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536483/+files/lp1820083-tls-params-focal.debdiff |
|
2021-10-27 16:05:19 |
Heather Lemon |
attachment removed |
lp1820083-tls-params-bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5471977/+files/lp1820083-tls-params-bionic.debdiff |
|
|
2021-10-27 16:06:41 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536490/+files/lp1820083-tls-params.debdiff |
|
2021-10-27 16:16:21 |
Heather Lemon |
attachment added |
|
lp1820083-Set-transport-options-on-requests-session.patch https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536494/+files/lp1820083-Set-transport-options-on-requests-session.patch |
|
2021-10-27 22:49:05 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params-bionic.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536537/+files/lp1820083-tls-params-bionic.debdiff |
|
2021-10-27 22:58:24 |
Heather Lemon |
attachment added |
|
lp1820083-tls-params-focal.debdiff https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+attachment/5536538/+files/lp1820083-tls-params-focal.debdiff |
|
2021-10-28 13:20:44 |
Eric Desrochers |
removed subscriber STS Sponsors |
|
|
|
2021-10-28 13:20:52 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
2021-11-02 23:38:52 |
Brian Murray |
python-etcd3gw (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2021-11-02 23:38:55 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2021-11-02 23:38:57 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2021-11-02 23:39:01 |
Brian Murray |
tags |
patch sts sts-sponsor sts-sponsor-slashd |
patch sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-focal |
|
2021-11-02 23:43:46 |
Brian Murray |
python-etcd3gw (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2021-11-02 23:43:54 |
Brian Murray |
tags |
patch sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-focal |
patch sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-focal |
|
2021-11-09 17:58:50 |
Heather Lemon |
tags |
patch sts sts-sponsor sts-sponsor-slashd verification-needed verification-needed-bionic verification-needed-focal |
patch sts sts-sponsor sts-sponsor-slashd verification-done-focal verification-needed verification-needed-bionic |
|
2021-11-09 18:56:37 |
Heather Lemon |
tags |
patch sts sts-sponsor sts-sponsor-slashd verification-done-focal verification-needed verification-needed-bionic |
patch sts sts-sponsor sts-sponsor-slashd verification-done-bionic verification-done-focal verification-needed |
|
2021-11-25 11:36:08 |
Launchpad Janitor |
python-etcd3gw (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-11-25 11:36:17 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2021-11-25 11:37:49 |
Launchpad Janitor |
python-etcd3gw (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|