pycurl gives 'gnutls_handshake() warning: The server name sent was not recognized', curl on command line and wget work with same URL

Bug #1394244 reported by Till Kamppeter on 2014-11-19
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pycurl (Ubuntu)
High
Unassigned
Trusty
High
Unassigned
Utopic
High
Unassigned
system-config-printer (Ubuntu)
High
Unassigned
Trusty
High
Unassigned
Utopic
High
Unassigned

Bug Description

From a Python program (system-config-printer) I need to access an https URL (on OpenPrinting) assuring that the answer really comes from OpenPrinting and not from an attacker. This serves for automatically downloading and installing driver packages for detected and locally unsupported printers.

A typical URL sent by system-config-printer to find driver packages for a detected printer is

https://www.openprinting.org/query.cgi?moreinfo=1&showprinterid=1&onlynewestdriverpackages=0&architectures=amd64&noobsoletes=1&onlyfree=0&onlymanufacturer=0&onlydownload=1&packagesystem=deb&onlysigneddriverpackages=0&format=xml&type=drivers&printer=MFG:EPSON;MDL:EP-805A%20Series;DES:EPSON%20EP-805A%20Series;CLS:PRINTER;

The "https://..." allows for checking whether the answer really comes from OpenPrinting. It is no problem accessing this URL with a browser or by the command line:

curl 'https://www.openprinting.org/query.cgi?moreinfo=1&showprinterid=1&onlynewestdriverpackages=0&architectures=amd64&noobsoletes=1&onlyfree=0&onlymanufacturer=0&onlydownload=1&packagesystem=deb&onlysigneddriverpackages=0&format=xml&type=drivers&printer=MFG:EPSON;MDL:EP-805A%20Series;DES:EPSON%20EP-805A%20Series;CLS:PRINTER;'

wget 'https://www.openprinting.org/query.cgi?moreinfo=1&showprinterid=1&onlynewestdriverpackages=0&architectures=amd64&noobsoletes=1&onlyfree=0&onlymanufacturer=0&onlydownload=1&packagesystem=deb&onlysigneddriverpackages=0&format=xml&type=drivers&printer=MFG:EPSON;MDL:EP-805A%20Series;DES:EPSON%20EP-805A%20Series;CLS:PRINTER;'

In all cases I get an XML data set in a reasonable amount of time (so server performance is OK). The XML data set tells about a driver package from Epson with all info to download it and to establish automatic updates via the facilities of the distro. RPM- and DEB-based distros with 32-bit or 64-bit Intel architectures are supported.

system-config-printer is written completely in Python and uses the pycurl library to call the URL with verification that the communication is done with the actual OpenPrinting server. This does not work any more. If I run the following simple Python code it fails:

----------
import pycurl
def collect_data(result):
   print(result)
   return len(result)

curl = pycurl.Curl()
curl.setopt(pycurl.SSL_VERIFYPEER, 1)
curl.setopt(pycurl.SSL_VERIFYHOST, 2)
curl.setopt(pycurl.WRITEFUNCTION, collect_data)
curl.setopt(pycurl.URL, 'https://www.openprinting.org/query.cgi?moreinfo=1&showprinterid=1&onlynewestdriverpackages=0&architectures=amd64&noobsoletes=1&onlyfree=0&onlymanufacturer=0&onlydownload=1&packagesystem=deb&onlysigneddriverpackages=0&format=xml&type=drivers&printer=MFG:EPSON;MDL:EP-805A%20Series;DES:EPSON%20EP-805A%20Series;CLS:PRINTER;')
status = curl.perform()
repr(status)
quit()
----------

You can paste the lines into a text editor to get a Python program or run "python" or "python3" (Python version seems not to matter) and paste the bunch of lines to the prompt.

The result is always the same, the "status = curl.perform()" line gives:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
pycurl.error: (51, 'gnutls_handshake() warning: The server name sent was not recognized')

For me it looks like that something has changed, as formerly this Python code worked correctly.

If I change "https://..." to "http://..." all works correctly and I get the XML data, but then there is no verification any more that the communication is really done with OpenPrinting.

See also

http://stackoverflow.com/questions/568247/pycurl-fails-but-curl-from-bash-works-in-ubuntu

This all looks like a bug in pycurl.

Changed in system-config-printer (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Till Kamppeter (till-kamppeter) wrote :

The problem occurs on Trusty, Utopic, and Vivid.

Added a task for system-config-printer for using python-requests instead of pycurl as a workaround. Note that this does not fix the problem of pycurl.

Changed in system-config-printer (Ubuntu Trusty):
status: New → Triaged
Changed in system-config-printer (Ubuntu Utopic):
status: New → Triaged
Changed in system-config-printer (Ubuntu Trusty):
importance: Undecided → High
Changed in system-config-printer (Ubuntu Utopic):
importance: Undecided → High
Changed in pycurl (Ubuntu Utopic):
importance: Undecided → High
Changed in pycurl (Ubuntu Trusty):
importance: Undecided → High
Changed in pycurl (Ubuntu):
importance: Undecided → High
Till Kamppeter (till-kamppeter) wrote :

The application of the python-requests workaround to system-config-printer in Trusty and Utopic is handled in SRU bug 1401835.

Changed in system-config-printer (Ubuntu Trusty):
status: Triaged → In Progress
Changed in system-config-printer (Ubuntu Utopic):
status: Triaged → In Progress
Till Kamppeter (till-kamppeter) wrote :

Jeff, can you check whether this is perhaps caused by the server change and whether perhaps the server needs a fix instead of pycurl?

Hello Till, or anyone else affected,

Accepted system-config-printer into utopic-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/system-config-printer/1.5.1+20141010-0ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in system-config-printer (Ubuntu Utopic):
status: In Progress → Fix Committed
tags: added: verification-needed
Till Kamppeter (till-kamppeter) wrote :

Checked with the system-config-printer package from utopic-proposed and automatic driver package installation is working now, so the workaround of using python-requests instead of pycurl to retrieve data from OpenPrinting solves the problem.

tags: added: verification-done
removed: verification-needed
Brian Murray (brian-murray) wrote :

Hello Till, or anyone else affected,

Accepted system-config-printer into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/system-config-printer/1.4.3+20140219-0ubuntu2.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-done-utopic
removed: verification-done
Changed in system-config-printer (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Till Kamppeter (till-kamppeter) wrote :

Tested the proposed package for Trusty now and automatic driver package installation is working now, so the workaround of using python-requests instead of pycurl to retrieve data from OpenPrinting solves the problem.

tags: added: verification-done
removed: verification-needed
tags: added: verification-done-trusty
removed: verification-done
Till Kamppeter (till-kamppeter) wrote :

The proposed system-config-printer package for Trusty got a dependency on cups-filters-ippusbxd accidentally (binary package system-config-printer-udev). Therefore please reject the package in trusty-proposed. I will upload a corrected -0ubuntu2.5 immediately then.

tags: added: verification-failed-trusty
removed: verification-done-trusty
Changed in system-config-printer (Ubuntu Trusty):
status: Fix Committed → In Progress
Till Kamppeter (till-kamppeter) wrote :

Uploaded system-config-printer_1.4.3+20140219-0ubuntu2.5 to trusty-proposed with the dependency on cups-filters-ippusbxd removed. See bug 1409263.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package system-config-printer - 1.5.1+20141010-0ubuntu2.2

---------------
system-config-printer (1.5.1+20141010-0ubuntu2.2) utopic-proposed; urgency=medium

  * debian/patches/70_package-download-fixes.patch: Fixed several bugs to
    make automatic printer driver download working again (LP: #1401835):
     o Use pyrequests instead of pycurl for secure (verified certificate)
       downloads. pycurl stopped working after the OpenPrinting web server
       has moved from Ubuntu 10.04 to 12.04 (LP: #1394244).
     o In the install-printerdriver script improved the check for the
       necessity of adding the driver's Debian repository and added a
       workaround for a bug in aptdaemon interpreting PackageKit's package
       IDs wrongly when installing a package (LP: #1397750).
     o In fillDriverList() use ".hasattr()" to check presence of
       attributes.
     o Python3 transition bugs
  * debian/patches/73_support-non-utf-8-encoded-ppds.patch: Do not
    crash on non-UTF-8-encoded PPD files (LP: #1400232)
  * debian/control: Depend on python-requests instead of on python-pycurl.
 -- Till Kamppeter <email address hidden> Sat, 13 Dec 2014 11:01:26 +0100

Changed in system-config-printer (Ubuntu Utopic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for system-config-printer has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Re-subscribing ubuntu-sru for the SRU on Trusty.

Changed in system-config-printer (Ubuntu Trusty):
status: In Progress → Fix Committed

Tested the new proposed package for Trusty (-0ubuntu2.5) now and automatic driver package installation is working now, so the workaround of using python-requests instead of pycurl to retrieve data from OpenPrinting solves the problem.

tags: added: verification-done-trusty
removed: verification-failed-trusty

If you still have problems with package installation by system-config-printer, please have a look at bug 1412722 and bug 1412729 and as soon as the proposed fixed packages get available there, test them and tell in that bug reports whether they solve your problem.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package system-config-printer - 1.4.3+20140219-0ubuntu2.5

---------------
system-config-printer (1.4.3+20140219-0ubuntu2.5) trusty-proposed; urgency=medium

  * debian/patches/35_ipp-over-usb-support.patch: Removed, IPP-over-USB support
    was not yet intended with this SRU.
  * debian/control: Removed dependency on cups-filters-ippusbxd package
    (LP: #1409263).
 -- Till Kamppeter <email address hidden> Sat, 10 Jan 2014 17:19:26 +0100

Changed in system-config-printer (Ubuntu Trusty):
status: Fix Committed → Fix Released
Rolf Leggewie (r0lf) wrote :

utopic has seen the end of its life and is no longer receiving any updates. Marking the utopic task for this ticket as "Won't Fix".

Changed in pycurl (Ubuntu Utopic):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers