Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate loading regression with HTTPAdapters in 2.32.3 #6730

Open
ricellis opened this issue May 31, 2024 · 3 comments
Open

Certificate loading regression with HTTPAdapters in 2.32.3 #6730

ricellis opened this issue May 31, 2024 · 3 comments

Comments

@ricellis
Copy link

It appears that in version 2.32.3 default certificates are no longer loaded for custom HTTPAdapter contexts when they were previously.

I guess this might be a duplicate/related to #6726 (comment).
Also related to #6710 (comment) - adding load_default_certs() resolves the issue, but this wasn't required in previous versions and thus makes upgrading to 2.32.3 breaking.

Expected Result

With the code below using requests version 2.32.2 I get the URL content with no error.

Actual Result

Using 2.32.3 I get:

requests.exceptions.SSLError: HTTPSConnectionPool(host='raw.githubusercontent.com', port=443): Max retries exceeded with url: /psf/requests/main/MANIFEST.in (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)')))

Reproduction Steps

import requests
import ssl
from requests.adapters import HTTPAdapter, DEFAULT_POOLBLOCK
from urllib3.util.ssl_ import create_urllib3_context

# adapted from https://github.com/IBM/python-sdk-core/blob/1c207385de627df5d12fd0a0ebd04717ce5bb29d/ibm_cloud_sdk_core/utils.py#L34
class SSLHTTPAdapter(HTTPAdapter):
    """Wraps the original HTTP adapter and adds additional SSL context."""

    def init_poolmanager(self, connections, maxsize, block=DEFAULT_POOLBLOCK, **pool_kwargs):
        """Create and use custom SSL configuration."""

        ssl_context = create_urllib3_context()
        ssl_context.minimum_version = ssl.TLSVersion.TLSv1_2
        # ssl_context.load_default_certs() # Adding this resolves the certificate issue but it was not required before

        super().init_poolmanager(connections, maxsize, block, ssl_context=ssl_context, **pool_kwargs)

session = requests.Session()
http_adapter = SSLHTTPAdapter()
session.mount('https://', http_adapter)

print(session.get(url='https://raw.githubusercontent.com/psf/requests/main/MANIFEST.in').text)

System Information

$ python -m requests.help

{
  "chardet": {
    "version": null
  },
  "charset_normalizer": {
    "version": "3.2.0"
  },
  "cryptography": {
    "version": ""
  },
  "idna": {
    "version": "3.4"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.11.9"
  },
  "platform": {
    "release": "23.5.0",
    "system": "Darwin"
  },
  "pyOpenSSL": {
    "openssl_version": "",
    "version": null
  },
  "requests": {
    "version": "2.32.3"
  },
  "system_ssl": {
    "version": "30300000"
  },
  "urllib3": {
    "version": "2.2.1"
  },
  "using_charset_normalizer": true,
  "using_pyopenssl": false
}
@ricellis ricellis mentioned this issue May 31, 2024
Closed
@nateprewitt nateprewitt mentioned this issue May 31, 2024
Draft
@mikf mikf mentioned this issue May 31, 2024
Closed
pyrooka added a commit to IBM/python-sdk-core that referenced this issue Jun 3, 2024
@pyrooka
fix: specify the maximum version of requests to avoid regression
e5e87db 
Version `2.23.3` of the `requests` package broke our custom
`SSLHTTPAdapter`. This commit defines the maximum version of that
package, to make sure it will continue working without an issue. Note
that, this is a short term solution only. For more details see this
issue: psf/requests#6730

Signed-off-by: Norbert Biczo <[email protected]>
@pyrooka pyrooka mentioned this issue Jun 3, 2024
Merged
pyrooka added a commit to IBM/python-sdk-core that referenced this issue Jun 3, 2024
@pyrooka
fix: specify the maximum version of requests to avoid regression
f2be943 
Version `2.23.3` of the `requests` package broke our custom
`SSLHTTPAdapter`. This commit defines the maximum version of that
package, to make sure it will continue working without an issue. Note
that, this is a short term solution only. For more details see this
issue: psf/requests#6730

Signed-off-by: Norbert Biczo <[email protected]>
archlinux-github pushed a commit to archlinux/aur that referenced this issue Jun 3, 2024
Patch SSLHTTPAdapter for latest requests
bbfe724 
see psf/requests#6730
pyrooka added a commit to IBM/python-sdk-core that referenced this issue Jun 3, 2024
@pyrooka
fix: specify the maximum version of requests to avoid regression (#194
f4ac0d1 
)

Version `2.23.3` of the `requests` package broke our custom
`SSLHTTPAdapter`. This commit defines the maximum version of that
package, to make sure it will continue working without an issue. Note
that, this is a short term solution only. For more details see this
issue: psf/requests#6730

Signed-off-by: Norbert Biczo <[email protected]>
@ricellis ricellis mentioned this issue Jun 4, 2024
Merged
13 tasks
@nateprewitt nateprewitt mentioned this issue Jun 7, 2024
Closed
@watkins-matt watkins-matt mentioned this issue Jun 10, 2024
Closed
idavidmcdonald added a commit to alphagov/notifications-api that referenced this issue Jun 18, 2024
@idavidmcdonald
Pin requests due to bug with connecting to DVLA
b707247 
We updated requests in #4108
but we saw errors in production connecting to DVLA as per
psf/requests#6730.

It looks like moving back to 2.32.2 should be unaffected, at least
according to the github issue above.

Once a new version is released that fixes it, we can drop this
pin. If it doesn't get fixed we could look at an alternative approach
like #4113
@idavidmcdonald idavidmcdonald mentioned this issue Jun 18, 2024
Merged
Closed
@archer-321 archer-321 mentioned this issue Jun 27, 2024
Closed
2 tasks
This was referenced Jun 28, 2024
Merged
Closed
Merged
@jaraco jaraco mentioned this issue Jul 7, 2024
Closed
2 tasks
@jaraco
Copy link
Contributor

jaraco commented Jul 7, 2024

This issue appears to be leading to widespread breakage. Have you considered yanking the release? It's personally cost me a good deal of time troubleshooting, distilling, and reporting the issue in httpie/cli#1581, to the point that users are suggesting to move away from requests (feels drastic, admittedly). Would the maintainers at least consider acknowledging the issue and giving some insight into the plan?

@nateprewitt
Copy link
Member

Hi @jaraco, we have a PR with the fix up already. We've been evaluating if there are any other breakages because this series of releases has been problematic.

Applying the patch or downgrading is the immediate fix. The reason it's not yanked is because this was part of a change for a CVE fix in 2.32.x.

@Jamim
Copy link

Jamim commented Jul 12, 2024

we have a PR with the fix up already.

For those who are wondering, here it is:

Jamim added a commit to Jamim/gentoo-overlay that referenced this issue Jul 12, 2024
@Jamim
⬆️ net-misc/httpie: bump to 3.2.3
6f42d9e 
Note that there is no <dev-python/requests-3.32.3 for Python 3
in the portage tree at the moment, so requests' version can't
be effectively pinned like it was pinned in the PyPI package.
It leads to errors when processing HTTPS links.
Upcoming release of Requests should fix it.
Issue for tracking:
  - psf/requests#6730

Release:
  - https://github.com/httpie/cli/releases/tag/3.2.3

Changes in comparison to 3.2.2:
  - add Python 3.13 support
  - add the repository url to the HOMEPAGE
@mdmintz mdmintz mentioned this issue Jul 22, 2024
Closed
patdowney added a commit to serverless-ca/terraform-aws-ca that referenced this issue Jul 26, 2024
@patdowney
deps: revert requests to 2.3.1
510befa 
Until psf/requests#6730 is addressed
@patdowney patdowney mentioned this issue Jul 26, 2024
Merged
patdowney added a commit to serverless-ca/terraform-aws-ca that referenced this issue Jul 26, 2024
@patdowney
deps: revert requests to 2.31.0
8097844 
Until psf/requests#6730 is addressed
paulschwarzenberger pushed a commit to serverless-ca/terraform-aws-ca that referenced this issue Jul 26, 2024
@patdowney
deps: revert requests to 2.31.0 (#195)
87e701f 
Until psf/requests#6730 is addressed
rbignon pushed a commit to rbignon/woob that referenced this issue Sep 3, 2024
@llange @eraby-fr
Skip buggy requests versions and resolve "certificate verify failed…
622e740 
…: self-signed certificate in certificate chain" error

`requests` versions 2.32.0 to 2.32.3 (included) are affected by a bug breaking the ability to specify
custom SSLContexts in sub-classes of HTTPAdapter (psf/requests#6715) and another
breaking the ability to load certificates with HTTPAdapters (psf/requests#6730)

We skip those versions (and hope that 2.32.4 will provide a fix for psf/requests#6730)

Cf #706
AdamWill added a commit to AdamWill/httpie-cli that referenced this issue Sep 4, 2024
@AdamWill
Explicitly load default certificates when creating SSL context (httpi…
eb7a56f 
…e#1583)

Requests prior to 2.32.3 always loaded the default (system-wide)
set of trusted certificates into custom SSL contexts. 2.32.3 no
longer does. This has broken a lot of users, but the fix is
moving slowly upstream due to security considerations - see
psf/requests#6730 and
psf/requests#6731 .

As suggested at
psf/requests#6710 (comment)
this can be worked around by explicitly loading the default
certificates into the context. We check the method exists before
calling it just to be safe, but I'm pretty sure it's been there
as long as this interface has existed.

Signed-off-by: Adam Williamson <[email protected]>
AdamWill added a commit to AdamWill/httpie-cli that referenced this issue Sep 4, 2024
@AdamWill
Explicitly load default certificates when creating SSL context (httpi…
6a0e0aa 
…e#1583)

Requests prior to 2.32.3 always loaded the default (system-wide)
set of trusted certificates into custom SSL contexts. 2.32.3 no
longer does. This has broken a lot of users, but the fix is
moving slowly upstream due to security considerations - see
psf/requests#6730 and
psf/requests#6731 .

As suggested at
psf/requests#6710 (comment)
this can be worked around by explicitly loading the default
certificates into the context. We check the method exists before
calling it just to be safe, but I'm pretty sure it's been there
as long as this interface has existed.

Signed-off-by: Adam Williamson <[email protected]>
@AdamWill AdamWill mentioned this issue Sep 4, 2024
Merged
@mdmintz mdmintz mentioned this issue Sep 6, 2024
Closed
AdamWill added a commit to AdamWill/httpie-cli that referenced this issue Sep 6, 2024
@AdamWill
Explicitly load default certificates when creating SSL context (httpi…
2eaac78 
…e#1583)

Requests prior to 2.32.3 always loaded the default (system-wide)
set of trusted certificates into custom SSL contexts. 2.32.3 no
longer does. This has broken a lot of users, but the fix is
moving slowly upstream due to security considerations - see
psf/requests#6730 and
psf/requests#6731 .

As suggested at
psf/requests#6710 (comment)
this can be worked around by explicitly loading the default
certificates into the context. We check the method exists before
calling it just to be safe, it was added in Python 3.4.

Signed-off-by: Adam Williamson <[email protected]>
@mdmintz mdmintz mentioned this issue Sep 16, 2024
Closed
jkbrzt pushed a commit to httpie/cli that referenced this issue Nov 1, 2024
@AdamWill
Explicitly load default certificates when creating SSL context (#1583) (
fd30c4e 
#1596)

* Explicitly load default certificates when creating SSL context (#1583)

Requests prior to 2.32.3 always loaded the default (system-wide)
set of trusted certificates into custom SSL contexts. 2.32.3 no
longer does. This has broken a lot of users, but the fix is
moving slowly upstream due to security considerations - see
psf/requests#6730 and
psf/requests#6731 .

As suggested at
psf/requests#6710 (comment)
this can be worked around by explicitly loading the default
certificates into the context. We check the method exists before
calling it just to be safe, it was added in Python 3.4.

Signed-off-by: Adam Williamson <[email protected]>

* Drop the upper bound on the requests dependency again

As we can now work with requests 2.32.3+, we no longer need this
pin.

Signed-off-by: Adam Williamson <[email protected]>

---------

Signed-off-by: Adam Williamson <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jaraco @nateprewitt @Jamim @ricellis