FS#40179 : [python-httplib2] Use system certificate file instead of httplib2's bundled one

FS#40179 - [python-httplib2] Use system certificate file instead of httplib2's bundled one

Attached to Project: Community Packages
Opened by Anton Eliasson (eliasson) - Thursday, 01 May 2014, 21:44 GMT
Last edited by Alexander F. Rødseth (xyproto) - Saturday, 03 May 2014, 10:19 GMT

Task Type	Feature Request
Category	Packages
Status	Closed
Assigned To	Alexander F. Rødseth (xyproto)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

By default, httplib2 uses a bundled truststore of CA certificates instead of the system store located in /etc/ssl/certs/ca-certificates.crt. The bundled one contains a very limited set of certificates which makes it pretty useless in practice. A simple example:

$ python
Python 3.4.0 (default, Mar 17 2014, 23:20:09)
[GCC 4.8.2 20140206 (prerelease)] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import httplib2
>>> h = httplib2.Http()
>>> headers, response = h.request('https://www.archlinux.org')
Traceback (most recent call last):
[...]
During handling of the above exception, another exception occurred:
[...]
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:598)

httplib2 could be trivially patched to instead use the system wide store. This has been done in e.g. Debian[1], Ubuntu[2], OpenSUSE[3] and Mageia[4]. Preparing a patch now.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652105
[2]: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/882027
[3]: https://bugzilla.novell.com/show_bug.cgi?id=761162
[4]: https://bugs.mageia.org/show_bug.cgi?id=6568

This task depends upon

Closed by Alexander F. Rødseth (xyproto)
Saturday, 03 May 2014, 10:19 GMT
Reason for closing: Fixed

Comment by Anton Eliasson (eliasson) - Thursday, 01 May 2014, 22:02 GMT

use_system_cacerts.patch patches both the Python 2 and 3 implementations of httplib2 to use the system cert store. This is based on a patch with the same name by Marc Deslauriers [1], updated for httplib2 0.8. I left the "ca_certs_locater" thingy in python2/httplib2/__init__.py. That feature seems like a terrible solution to me because this is a packaging issue, not something the user of httplib2 should have to worry about. However, it probably wont hurt to leave it there and we can't know if there is anyone out there depending on this feature of specifying an alternate trust store.

PKGBUILD.patch adds this patch to prepare(). It also adds the ca-certificates package as a dependency.

[1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652105#10

use_system_cacerts.patch (1.6 KiB)

PKGBUILD.patch (1.2 KiB)

Comment by Alexander F. Rødseth (xyproto) - Friday, 02 May 2014, 12:28 GMT

Thanks for reporting! Will look into this.

Comment by Alexander F. Rødseth (xyproto) - Saturday, 03 May 2014, 10:14 GMT

Applied the patch and added your name as contributor. Thank you! The updated package will appear in [community] shortly.

Comment by Alexander F. Rødseth (xyproto) - Saturday, 03 May 2014, 10:18 GMT

Please also consider submitting these issues/patches upstream to https://github.com/jcgregorio/httplib2/issues if they are not already there.

Hejdå!

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#40179 - [python-httplib2] Use system certificate file instead of httplib2's bundled one

Details

Loading...