python setuptools lacks SNI support in stretch

To: debian-lts@lists.debian.org
Subject: python setuptools lacks SNI support in stretch
From: Noah Meyerhans <noahm@debian.org>
Date: Tue, 30 Mar 2021 09:37:03 -0700
Message-id: <[🔎] YGNTrzKoMFcgnFET@doom.morgul.net>

TL;DR: Python setuptools is going to lose the ability to talk to pypi in
the near future.

As documented at [1] and [2], Fastly, the CDN that serves
files.pythonhosted.org and pypi.python.org is going to disable support
for clients that don't support the SNI TLS protocol extension.

It seems that Fastly recently made (and then reverted) this change,
which is convenient for us as it gave a bit of a preview into what's
going to happen once they make the change permanent.

One user reported connectivity issues to files.pythonhosted.org [3],
which prompted me to investigate why.  As noted in their post, python in
stretch does support SNI, but it appears that it wasn't being used.

As shown in the wireshark decoding of the TLS client hello message when
connecting to pypi.python.org, the SNI extension was not in use.
Comparable packet captures from buster include a line matching
"Extension: server_name", which indicates the presense of the SNI
protocol extension. 

I believe we will need an update python's setuptools packages to address
this issue; it seems as though python itself has full support for SNI.

Frame 4: 304 bytes on wire (2432 bits), 304 bytes captured (2432 bits)
Ethernet II, Src: 02:4a:6e:2e:54:45 (02:4a:6e:2e:54:45), Dst: 02:8f:53:6f:64:ef (02:8f:53:6f:64:ef)
Internet Protocol Version 4, Src: 10.0.0.75, Dst: 151.101.52.223
Transmission Control Protocol, Src Port: 58854, Dst Port: 443, Seq: 1, Ack: 1, Len: 238
Transport Layer Security
    TLSv1.2 Record Layer: Handshake Protocol: Client Hello
        Content Type: Handshake (22)
        Version: TLS 1.0 (0x0301)
        Length: 233
        Handshake Protocol: Client Hello
            Handshake Type: Client Hello (1)
            Length: 229
            Version: TLS 1.2 (0x0303)
            Random: 9da5bf0013f2a241c06b223ccb4e27a662ac537fdcecd60d7aba8ec617caf96a
            Session ID Length: 0
            Cipher Suites Length: 124
            Cipher Suites (62 suites)
            Compression Methods Length: 1
            Compression Methods (1 method)
            Extensions Length: 64
            Extension: ec_point_formats (len=4)
            Extension: supported_groups (len=4)
            Extension: session_ticket (len=0)
            Extension: encrypt_then_mac (len=0)
            Extension: extended_master_secret (len=0)
            Extension: signature_algorithms (len=32)


1. https://status.python.org/incidents/hzmjhqsdjqgb
2. https://github.com/pypa/pypi-support/issues/978
3. https://github.com/pypa/pypi-support/issues/978#issuecomment-806100294

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Re: python setuptools lacks SNI support in stretch
  - From: Noah Meyerhans <noahm@debian.org>
- Re: python setuptools lacks SNI support in stretch
  - From: Utkarsh Gupta <utkarsh@debian.org>

Prev by Date: (semi-)automatic unclaim of packages with more than 2 weeks of inactivity (and missing DLAs on www.do)
Next by Date: Re: python setuptools lacks SNI support in stretch
Previous by thread: LTS team meeting on Thursday, tomorrow, at 15 UTC
Next by thread: Re: python setuptools lacks SNI support in stretch
Index(es):
- Date
- Thread