Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SubjectAltNameWarning #2686

Closed
oliver-sanders opened this issue May 31, 2018 · 3 comments · Fixed by #2688
Closed

SubjectAltNameWarning #2686

oliver-sanders opened this issue May 31, 2018 · 3 comments · Fixed by #2688
Assignees
@matthewrmshin
Milestone
cylc-7.7.1

Comments

@oliver-sanders
Copy link
Member

oliver-sanders commented May 31, 2018
edited
Loading

We appear to be getting deprecation warnings for the common name field.

/usr/lib64/python2.6/site-packages/requests/packages/urllib3/util/ssl_.py:338:
SNIMissingWarning: An HTTPS request has been made, but the SNI
(Subject Name Indication) extension to TLS is not available on this
platform. This may cause the server to present an incorrect TLS
certificate, which can cause validation failures. You can upgrade to a
newer version of Python to solve this. For more information, see
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
SNIMissingWarning
/usr/lib64/python2.6/site-packages/requests/packages/urllib3/util/ssl_.py:132:
InsecurePlatformWarning: A true SSLContext object is not available.
This prevents urllib3 from configuring SSL appropriately and may cause
certain SSL connections to fail. You can upgrade to a newer version of
Python to solve this. For more information, see
https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecurePlatformWarning
/usr/lib64/python2.6/site-packages/requests/packages/urllib3/connection.py:337:
SubjectAltNameWarning: Certificate for
<fqdn> has no `subjectAltName`, falling
back to check for a `commonName` for now. This feature is being
removed by major browsers and deprecated by RFC 2818. (See
https://github.com/shazow/urllib3/issues/497 for details.)
SubjectAltNameWarning

See also:
@oliver-sanders oliver-sanders added the bug? Not sure if this is a bug or not label May 31, 2018
@hjoliver
Copy link
Member

specific to python2.6 and older?

@matthewrmshin
Copy link
Contributor

Already filtering some warnings here:
https://github.com/cylc/cylc/blob/master/lib/cylc/network/httpclient.py#L389

I'll try adding some more filters.

@matthewrmshin matthewrmshin mentioned this issue Jun 5, 2018
Merged
@matthewrmshin matthewrmshin removed the bug? Not sure if this is a bug or not label Jun 5, 2018
@matthewrmshin matthewrmshin self-assigned this Jun 5, 2018
@oliver-sanders
Copy link
Member Author

The traceback shows two warnings, SNIMissingWarning and InsecurePlatformWarning.

Ignoring SNIMissingWarning sounds like it should be fail safe. Ignoring InsecurePlatformWarning sounds to me to be potentially fail deadly.

From https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings:

InsecurePlatformWarning

This happens on Python 2 platforms that have an outdated ssl module. These older ssl modules can cause some insecure requests to succeed where they should fail and secure requests to fail where they should succeed. Follow the pyOpenSSL guide to resolve this warning.

SNIMissingWarning

This happens on Python 2 versions older than 2.7.9. These older versions lack SNI support. This can cause servers to present a certificate that the client thinks is invalid. Follow the pyOpenSSL guide to resolve this warning.

@dpmatthews dpmatthews mentioned this issue Jul 3, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matthewrmshin matthewrmshin

Labels
None yet
Projects
None yet
Milestone
cylc-7.7.1
Development

Successfully merging a pull request may close this issue.

Add filter for security warnings from urllib3 matthewrmshin/cylc-flow
3 participants
@matthewrmshin @hjoliver @oliver-sanders