Bug#787410: PTS: SOAPpy scripts contacting the BTS fail to verify SSL
Hi,
On Mon, 01 Jun 2015, James McCoy wrote:
> On Mon, Jun 01, 2015 at 05:57:58PM +0800, Paul Wise wrote:
> > Since the upgrade to jessie, the calls to the BTS made by the PTS using
> > SOAPpy are crashing as they cannot verify the SSL cert in /etc/ssl/certs
> > directly and require a CA cert to be present instead. There is no known
> > workaround for this issue with SOAPpy yet, help is welcome.
>
> I tried adding
>
> cafile = '/etc/ssl/ca-debian/ca-certificates.crt'
> if os.path.exists(cafile):
> SOAPpy.Config.SSL.cert_file = cafile
>
> to some of the SOAPpy-using scripts, but that then complains about
> ca-certificates.crt not being in PEM format (I think, since the error message
> is pretty useless).
I just fixed a similar problem in the package tracker and managed to get
it to work by relying on a environment variable:
@@ -228,6 +229,9 @@ class UpdatePackageBugStats(BaseTask):
:returns: A dict mapping package names to the count of bugs with the
given tag.
"""
+ debian_ca_bundle = '/etc/ssl/ca-debian/ca-certificates.crt'
+ if os.path.exists(debian_ca_bundle):
+ os.environ['SSL_CERT_FILE'] = debian_ca_bundle
url = 'https://bugs.debian.org/cgi-bin/soap.cgi'
namespace = 'Debbugs/SOAP'
server = SOAPpy.SOAPProxy(url, namespace)
I found out this after having seen:
In [3]: ssl.get_default_verify_paths()
Out[3]: DefaultVerifyPaths(cafile=None, capath='/usr/lib/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/lib/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/lib/ssl/certs')
SOAPpy offers no way to use a pre-built SSL context so I found it cleaner
to rely on variables used by the SSL context factory.
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
Reply to: