FS#40179 - [python-httplib2] Use system certificate file instead of httplib2's bundled one

Attached to Project: Community Packages
Opened by Anton Eliasson (eliasson) - Thursday, 01 May 2014, 21:44 GMT
Last edited by Alexander F. Rødseth (xyproto) - Saturday, 03 May 2014, 10:19 GMT
Task Type Feature Request
Category Packages
Status Closed
Assigned To Alexander F. Rødseth (xyproto)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No


By default, httplib2 uses a bundled truststore of CA certificates instead of the system store located in /etc/ssl/certs/ca-certificates.crt. The bundled one contains a very limited set of certificates which makes it pretty useless in practice. A simple example:

$ python
Python 3.4.0 (default, Mar 17 2014, 23:20:09)
[GCC 4.8.2 20140206 (prerelease)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import httplib2
>>> h = httplib2.Http()
>>> headers, response = h.request('https://www.archlinux.org')
Traceback (most recent call last):
During handling of the above exception, another exception occurred:
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

httplib2 could be trivially patched to instead use the system wide store. This has been done in e.g. Debian[1], Ubuntu[2], OpenSUSE[3] and Mageia[4]. Preparing a patch now.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652105
[2]: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/882027
[3]: https://bugzilla.novell.com/show_bug.cgi?id=761162
[4]: https://bugs.mageia.org/show_bug.cgi?id=6568
This task depends upon

Closed by  Alexander F. Rødseth (xyproto)
Saturday, 03 May 2014, 10:19 GMT
Reason for closing:  Fixed
Comment by Anton Eliasson (eliasson) - Thursday, 01 May 2014, 22:02 GMT
use_system_cacerts.patch patches both the Python 2 and 3 implementations of httplib2 to use the system cert store. This is based on a patch with the same name by Marc Deslauriers [1], updated for httplib2 0.8. I left the "ca_certs_locater" thingy in python2/httplib2/__init__.py. That feature seems like a terrible solution to me because this is a packaging issue, not something the user of httplib2 should have to worry about. However, it probably wont hurt to leave it there and we can't know if there is anyone out there depending on this feature of specifying an alternate trust store.

PKGBUILD.patch adds this patch to prepare(). It also adds the ca-certificates package as a dependency.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652105#10
Comment by Alexander F. Rødseth (xyproto) - Friday, 02 May 2014, 12:28 GMT
Thanks for reporting! Will look into this.
Comment by Alexander F. Rødseth (xyproto) - Saturday, 03 May 2014, 10:14 GMT
Applied the patch and added your name as contributor. Thank you! The updated package will appear in [community] shortly.
Comment by Alexander F. Rødseth (xyproto) - Saturday, 03 May 2014, 10:18 GMT
Please also consider submitting these issues/patches upstream to https://github.com/jcgregorio/httplib2/issues if they are not already there.