Ubuntu
python-glanceclient package

python-glanceclient ftbfs in focal

Bug #1870074 reported by Matthias Klose
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssl (Ubuntu)
Invalid
Undecided
Unassigned
python-glanceclient (Ubuntu)
Fix Released
High
James Page
Ubuntu ubuntu-20.04

Bug Description

seen in the second focal test rebuild
https://launchpad.net/ubuntu/+archive/test-rebuild-20200327-focal/+build/18963677/+files/buildlog_ubuntu-focal-amd64.python-glanceclient_1%3A2.17.0-0ubuntu2_BUILDING.txt.gz

During handling of the above exception, another exception occurred:

    Traceback (most recent call last):

      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 665, in urlopen
    httplib_response = self._make_request(

      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 376, in _make_request
    self._validate_conn(conn)

      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 996, in _validate_conn
    conn.connect()

      File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 352, in connect
    self.sock = ssl_wrap_socket(

      File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 383, in ssl_wrap_socket
    return context.wrap_socket(sock)

      File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 491, in wrap_socket
    raise ssl.SSLError("bad handshake: %r" % e)

    ssl.SSLError: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)

During handling of the above exception, another exception occurred:

    Traceback (most recent call last):

      File "/usr/lib/python3/dist-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(

      File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 719, in urlopen
    retries = retries.increment(

      File "/usr/lib/python3/dist-packages/urllib3/util/retry.py", line 436, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))

    urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='0.0.0.0', port=45175): Max retries exceeded with url: /v2/images/image123 (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

During handling of the above exception, another exception occurred:

    Traceback (most recent call last):

      File "/<<PKGBUILDDIR>>/glanceclient/common/http.py", line 269, in _request
    resp = self.session.request(method,

      File "/usr/lib/python3/dist-packages/requests/sessions.py", line 533, in request
    resp = self.send(prep, **send_kwargs)

      File "/usr/lib/python3/dist-packages/requests/sessions.py", line 646, in send
    r = adapter.send(request, **kwargs)

      File "/usr/lib/python3/dist-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)

    requests.exceptions.SSLError: HTTPSConnectionPool(host='0.0.0.0', port=45175): Max retries exceeded with url: /v2/images/image123 (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

During handling of the above exception, another exception occurred:

    Traceback (most recent call last):

      File "/<<PKGBUILDDIR>>/glanceclient/tests/unit/test_ssl.py", line 124, in test_v2_requests_cert_verification
    gc.images.get('image123')

      File "/<<PKGBUILDDIR>>/glanceclient/v2/images.py", line 198, in get
    return self._get(image_id)

      File "/<<PKGBUILDDIR>>/glanceclient/common/utils.py", line 598, in inner
    return RequestIdProxy(wrapped(*args, **kwargs))

      File "/<<PKGBUILDDIR>>/glanceclient/v2/images.py", line 191, in _get
    resp, body = self.http_client.get(url, headers=header)

      File "/<<PKGBUILDDIR>>/glanceclient/common/http.py", line 315, in get
    return self._request('GET', url, **kwargs)

      File "/<<PKGBUILDDIR>>/glanceclient/common/http.py", line 282, in _request
    raise exc.CommunicationError(message=message)

    glanceclient.exc.CommunicationError: Error finding address for https://0.0.0.0:45175/v2/images/image123: HTTPSConnectionPool(host='0.0.0.0', port=45175): Max retries exceeded with url: /v2/images/image123 (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

During handling of the above exception, another exception occurred:

    Traceback (most recent call last):

      File "/usr/lib/python3/dist-packages/mock/mock.py", line 1330, in patched
    return func(*args, **keywargs)

      File "/<<PKGBUILDDIR>>/glanceclient/tests/unit/test_ssl.py", line 128, in test_v2_requests_cert_verification
    self.fail('No certificate failure message is received')

      File "/usr/lib/python3/dist-packages/unittest2/case.py", line 690, in fail
    raise self.failureException(msg)

    AssertionError: No certificate failure message is received

======
Totals
======
Ran: 635 tests in 1.7474 sec.
 - Passed: 623
 - Skipped: 7
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 5
Sum of execute time for each test: 5.8393 sec.

==============
Worker Balance
==============
 - Worker 0 (159 tests) => 0:00:01.182108
 - Worker 1 (159 tests) => 0:00:01.607279
 - Worker 2 (159 tests) => 0:00:01.570729
 - Worker 3 (158 tests) => 0:00:01.650056
make[1]: *** [debian/rules:24: override_dh_auto_test] Error 1
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [debian/rules:6: build] Error 2

Matthias Klose (doko)
Changed in python-glanceclient (Ubuntu):
status: New → Confirmed
importance: Undecided → High
tags: added: ftbfs rls-ff-incoming
Revision history for this message
James Page (james-page) wrote :

I think this might actually be a bug in openssl 1.1.1d - working to confirm that now

Changed in python-glanceclient (Ubuntu):
assignee: nobody → James Page (james-page)
status: Confirmed → In Progress
milestone: none → ubuntu-20.04
Revision history for this message
James Page (james-page) wrote :

SSL tests pass on eoan with openssl 1.1.1c-1ubuntu4

Revision history for this message
James Page (james-page) wrote :

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v2_requests_cert_verification_no_compression

glanceclient.exc.CommunicationError: Error finding address for https://0.0.0.0:58605/v2/images/image123: HTTPSConnectionPool(host='0.0.0.0', port=58605): Max retries exceeded with url: /v2/images/image123 (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v1_requests_cert_verification

glanceclient.exc.CommunicationError: Error finding address for https://0.0.0.0:45403/v1/images/image123: HTTPSConnectionPool(host='0.0.0.0', port=45403): Max retries exceeded with url: /v1/images/image123 (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v1_requests_cert_verification_no_compression

glanceclient.exc.CommunicationError: Error finding address for https://0.0.0.0:49591/v1/images/image123: HTTPSConnectionPool(host='0.0.0.0', port=49591): Max retries exceeded with url: /v1/images/image123 (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v2_requests_cert_verification_no_compression

glanceclient.exc.CommunicationError: Error finding address for https://0.0.0.0:37313/v2/images/image123: HTTPSConnectionPool(host='0.0.0.0', port=37313): Max retries exceeded with url: /v2/images/image123 (Caused by SSLError(SSLError("bad handshake: SysCallError(-1, 'Unexpected EOF')")))

Revision history for this message
James Page (james-page) wrote :

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v2_requests_valid_cert_no_key

glanceclient.exc.CommunicationError: SSL Error communicating with https://0.0.0.0:58534/v2/images/image123: [('SSL routines', 'SSL_CTX_use_certificate', 'ca md too weak')]

Revision history for this message
James Page (james-page) wrote :

Boiling those down from the package build log:

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v2_requests_valid_cert_no_key

OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_use_certificate', 'ca md too weak')]

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v1_requests_cert_verification

OpenSSL.SSL.SysCallError: (104, 'ECONNRESET')

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v2_requests_cert_verification_no_compression
glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v1_requests_cert_verification_no_compression

OpenSSL.SSL.SysCallError: (-1, 'Unexpected EOF')

glanceclient.tests.unit.test_ssl.TestHTTPSVerifyCert.test_v2_requests_cert_verification

OpenSSL.SSL.SysCallError: (-1, 'Unexpected EOF')

Revision history for this message
James Page (james-page) wrote :

'ca md too weak' would indicate the signing alg is not good enough on the ca.crt any longer:

Signature Algorithm: sha1WithRSAEncryption

Revision history for this message
James Page (james-page) wrote :

https://github.com/urllib3/urllib3/issues/1825

Revision history for this message
James Page (james-page) wrote :

and

https://github.com/openssl/openssl/issues/11378

Revision history for this message
James Page (james-page) wrote :

Or this might be related to the default security level we set in Ubuntu

Revision history for this message
James Page (james-page) wrote :

Actually this resolved to be due to use of older algs in the certs which are no longer considered strong.

Changed in openssl (Ubuntu):
status: New → Invalid
Revision history for this message
James Page (james-page) wrote :

Uploaded to focal for release team review.

Also submitted upstream - https://review.opendev.org/718093

Changed in python-glanceclient (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-glanceclient - 1:2.17.0-0ubuntu3

---------------
python-glanceclient (1:2.17.0-0ubuntu3) focal; urgency=medium

  * d/p/update-test-certificates.patch: Regenerate test certificates
    to use algorithms that are considered secure by modern OpenSSL
    versions resolving FTBFS (LP: #1870074).

 -- James Page <email address hidden> Tue, 07 Apr 2020 13:48:07 +0100

Changed in python-glanceclient (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.