[Bug 2091732] Re: Unverified SSL connection might be considered verified

Mauricio Faria de Oliveira 2091732 at bugs.launchpad.net
Fri Dec 20 19:02:13 UTC 2024 

** Changed in: requests (Ubuntu Noble)
     Assignee: Mauricio Faria de Oliveira (mfo) => Ioanna Alifieraki (joalif)

** Changed in: requests (Ubuntu Jammy)
     Assignee: Mauricio Faria de Oliveira (mfo) => Ioanna Alifieraki (joalif)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to requests in Ubuntu.
https://bugs.launchpad.net/bugs/2091732

Title:
  Unverified SSL connection might be considered verified

Status in requests package in Ubuntu:
  Fix Released
Status in requests source package in Jammy:
  In Progress
Status in requests source package in Noble:
  In Progress

Bug description:
  [Impact]

   * The HTTPS certificate verification in Python Requests 
     may be *incorrectly* ignored if an existing connection
     to the same host previously did *not* use verification.
     
  [Test Plan]

   * Create session to perform _first_ a request _with_
     certificate verification (verify=True) and _after_
     _without_ it (verify=False). This works correctly.
     
   * Create a session to perform _first_ a request _without_
    certificate verification (verify=False) and _after_
    _with_ it (verify=True). This is supposed to work
    correctly, but with the bug, the second request does
    _not_ verify the certificate, actually.
    
   * Test case is provided in comment 1, and executed in
     comments 2 and 3. The last test (2B) is the problem.
     The other tests check for no regressions.
     Success is all tests report 'GOOD' (not any 'BAD').

  [Regression Potential]

   * This patch changes the information used to select a
     connection pool, so that a pool used for unverified
     connections is _not_ used later for a verified one.
     
     This is in the connection path in Python Requests,
     which is critical, however, any issues are likely
     to be caught early in tests.
     
     Also, the patch has been introduced in v2.32.0, and
     is present in Ubuntu Oracular and Plucky already,
     thus it has received testing and is exercised by
     users.
   
  [Other Info]
   
   * Upstream commit:
     https://github.com/psf/requests/commit/c0813a2d910ea6b4f8438b91d315b8d181302356
     
   * Test packages available in ppa:mfo/lp2091732-lp2091733.
     Note comment 4, although this patch is not subject to
     the pending patches for the other bug 2091733.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/requests/+bug/2091732/+subscriptions

More information about the foundations-bugs mailing list