Bug 937123

Summary: Python-requests fails because the default certificate location points to a cert dir instead of a single bundle.
Product: [openSUSE] openSUSE Tumbleweed Reporter: Forgotten User q83V6V__kH <forgotten_q83V6V__kH>
Component: OtherAssignee: Vincent Untz <vuntz>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: adam, forgotten_5R2Qj0pgfM, jmatejek, lnussel, meissner, rjschwei
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://github.com/untitaker/vdirsyncer/issues/224
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 967128    
Attachments: Test case.

Description Forgotten User q83V6V__kH 2015-07-06 12:24:19 UTC 
Created attachment 640177 [details]
Test case.

Python-requests fails because the default certificate location points to a cert dir instead of a single bundle.

This started happening after the GCC5 update to Tumbleweed.

The issue exhibited itself in the 'vdirsyncer' app. You can read my discussion with the vdirsyncer developers here:
https://github.com/untitaker/vdirsyncer/issues/224

I have attached the test-case from the above thread in this report.
Comment 1 Marcus Meissner 2015-07-06 13:12:16 UTC 
We use a cert directory in openSUSE, and this should work... Software needs to be fixed.
Comment 2 Forgotten User 5R2Qj0pgfM 2015-07-06 13:39:00 UTC 
(In reply to Marcus Meissner from comment #1)
> We use a cert directory in openSUSE, and this should work... Software needs
> to be fixed.

Where does requests' documentation say that it is able to handle certificate directories?
Comment 3 Forgotten User 5R2Qj0pgfM 2015-07-06 13:42:46 UTC 
Regarding the testcase, a much simpler one such as

    import requests
    requests.get('https://facebook.com')

probably fails too. In other words, all Python software that sends HTTP requests is potentially broken on openSUSE.
Comment 4 Marcus Meissner 2015-07-06 13:58:54 UTC 
well, no.

The python ssl module can handle it just nicely.

python requests basically needs to call the correct wrapper function for it.

And I mean that requests should get updated to handle this too, if it does not.

e.g. with

https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_verify_locations

or just SSLContext.set_default_verify_path to use the system ones.



I think there is probably a requests version that has this adjusted for openSUSE already.
Comment 5 Marcus Meissner 2015-07-06 14:03:58 UTC 
(so even if python-requests upstream might not directly support it, the SUSE one should be adjusted)
Comment 6 Forgotten User 5R2Qj0pgfM 2015-07-06 14:07:33 UTC 
Right, I don't think requests itself is at fault here. It seems that this feature is tracked at https://github.com/kennethreitz/requests/issues/2659 though.

I'm not sure whether patching the SUSE package to also accept directories is a good idea, this would change behavior of the library.
Comment 7 Ludwig Nussel 2015-07-06 14:30:03 UTC 
https://build.opensuse.org/request/show/315237
Comment 8 Forgotten User 5R2Qj0pgfM 2015-07-06 14:34:06 UTC 
Nice, thanks for the quick fix!
Comment 9 Bruno Friedmann 2015-09-24 15:00:36 UTC 
*** Bug 929773 has been marked as a duplicate of this bug. ***
Comment 10 Robert Schweikert 2016-02-26 18:17:05 UTC 
python-requests-2.9.1 addresses the issue.