Bug#787410: PTS: SOAPpy scripts contacting the BTS fail to verify SSL

To: James McCoy <jamessan@debian.org>, 787410@bugs.debian.org
Cc: Paul Wise <pabs@debian.org>, tobald@debian.org
Subject: Bug#787410: PTS: SOAPpy scripts contacting the BTS fail to verify SSL
From: Raphael Hertzog <hertzog@debian.org>
Date: Wed, 3 Jun 2015 11:10:47 +0200
Message-id: <[🔎] 20150603091047.GC24427@home.ouaza.com>
Reply-to: Raphael Hertzog <hertzog@debian.org>, 787410@bugs.debian.org
In-reply-to: <[🔎] 20150602024308.GK6875@freya.jamessan.com>
References: <[🔎] 1433152678.11823.11.camel@debian.org> <[🔎] 20150602024308.GK6875@freya.jamessan.com>

Hi,

On Mon, 01 Jun 2015, James McCoy wrote:
> On Mon, Jun 01, 2015 at 05:57:58PM +0800, Paul Wise wrote:
> > Since the upgrade to jessie, the calls to the BTS made by the PTS using
> > SOAPpy are crashing as they cannot verify the SSL cert in /etc/ssl/certs
> > directly and require a CA cert to be present instead. There is no known
> > workaround for this issue with SOAPpy yet, help is welcome.
> 
> I tried adding
> 
> cafile = '/etc/ssl/ca-debian/ca-certificates.crt'
> if os.path.exists(cafile):
>     SOAPpy.Config.SSL.cert_file = cafile
> 
> to some of the SOAPpy-using scripts, but that then complains about
> ca-certificates.crt not being in PEM format (I think, since the error message
> is pretty useless).

I just fixed a similar problem in the package tracker and managed to get
it to work by relying on a environment variable:

@@ -228,6 +229,9 @@ class UpdatePackageBugStats(BaseTask):
         :returns: A dict mapping package names to the count of bugs with the
             given tag.
         """
+        debian_ca_bundle = '/etc/ssl/ca-debian/ca-certificates.crt'
+        if os.path.exists(debian_ca_bundle):
+            os.environ['SSL_CERT_FILE'] = debian_ca_bundle
         url = 'https://bugs.debian.org/cgi-bin/soap.cgi'
         namespace = 'Debbugs/SOAP'
         server = SOAPpy.SOAPProxy(url, namespace)

I found out this after having seen:
In [3]: ssl.get_default_verify_paths()
Out[3]: DefaultVerifyPaths(cafile=None, capath='/usr/lib/ssl/certs', openssl_cafile_env='SSL_CERT_FILE', openssl_cafile='/usr/lib/ssl/cert.pem', openssl_capath_env='SSL_CERT_DIR', openssl_capath='/usr/lib/ssl/certs')

SOAPpy offers no way to use a pre-built SSL context so I found it cleaner
to rely on variables used by the SSL context factory.

Cheers,
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Reply to:

References:
- Bug#787410: PTS: SOAPpy scripts contacting the BTS fail to verify SSL
  - From: Paul Wise <pabs@debian.org>
- Bug#787410: PTS: SOAPpy scripts contacting the BTS fail to verify SSL
  - From: James McCoy <jamessan@debian.org>

Prev by Date: Processed: retitle 787570 to debsources: DB: change sha256 column data type from string to bytea
Next by Date: Bug#787410: marked as done (PTS: SOAPpy scripts contacting the BTS fail to verify SSL)
Previous by thread: Bug#787410: PTS: SOAPpy scripts contacting the BTS fail to verify SSL
Next by thread: Bug#787410: marked as done (PTS: SOAPpy scripts contacting the BTS fail to verify SSL)
Index(es):
- Date
- Thread