pywbem library on Ubuntu doesn't support CA certificate verification

Xing Yang,

A packaging of the complete 7.0.25 pywbem package is not possible as such. What I can propose is to retrofit the functionality that you are after, which is the verification of the CA Certificates. I believe that this is introduced by the following upstream commit :

http://sourceforge.net/p/pywbem/code/627/

 fixed TOCTOU error when validating peer's certificate
 By TOCTOU it's meant time-of-check-time-of-use. Up to now, pywbem made two
 connections for one request (applies just to ssl). The first one made the
 verification (without the hostname check) and the second one was used for
 request. No verification was done for the latter, which could be abused.
 Peer's certificate is now validated when connecting over ssl. To prevent
 man-in-the-middle attack, verification of hostname is also added. Peer's
 hostname must match the commonName of its certificate. Or it must be contained
 in subjectAltName (list of aliases). M2Crypto package is used for that purpose.
 Thanks to it both security enhancements could be implemented quiete easily.
 Downside is a new dependency added to pywbem. Verification can be skipped if
 no_verification is set to False.
 Certificate trust store can now be specified by user. Some default paths, valid
 for several distributions, were added.

This modification is part of 7.0.25

This would allow you to gain access to ca_certs= and no_verification= parameter.

Would that be acceptable to you ?

Kind regards,

...Louis

Further details, it turns out that this functionality is added to the 7.0.25 RPM in one single patch :

 pywbem-20131121-ssl_verify_host.patch

So bringing this into Ubuntu should not be complicated.

Hi Louis,

Sounds good. I only need the CA certificate fix to be added. So you mean the dependency on M2Crypto package was introduced as part of the CA certificate support?

Thanks,
Xing

Marking development version as Fix released since the verification is in 0.8-dev

Xing Yang,

I would like to know if you have the possibility to test the added functionality ? If so, I can have a test package made available through a PPA so you can test the functionality. A snippet of code would also be useful if you have such a thing.

Kind regards,

...Loui

Hi Louis,

Yes, we can test this. Can you provide PPA please? Thanks!

Xing

Here is a code snippet:

def _get_connection(self):

        try:
            conn = None
            conn = pywbem.WBEMConnection(self.url, (self.user, self.passwd),
                                         default_namespace='root/emc',
                                         x509=None,
                                         verify_callback=None,
                                         ca_certs=self.cert,
                                         no_verification=False)
        except TypeError:
            LOG.info(_LI("CA certificates not supported by the pywbem "
                         "library."))
            conn = pywbem.WBEMConnection(self.url, (self.user, self.passwd),
                                         default_namespace='root/emc')

        if conn is None:
            exception_message = (_("Cannot connect to ECOM server"))
            raise exception.VolumeBackendAPIException(data=exception_message)

        return conn

Hello Xing,

You can get test packages for Trusty and Utopic here :

 ppa:louis-bouchard/python-pywbem (https://launchpad.net/~louis-bouchard/+archive/ubuntu/python-pywbem)

Please let me know as soon as you can get one of them tested, so I can proceed with the SRU.

Kind regards,

...Louis

Thanks Louis! We'll give a try.

Hello Xing,

Did you get a chance to test the package in the PPA ?

Kind regards,

...Louis

Hi Louis,

We are currently testing it and ran into some issues. Need to do more investigation before reporting back to you on what the problem is.

Thanks,
Xing

Hi Louis,

We tested it and the package works. Thanks!

There's an issue we ran into with the wbem_request function in pywbem. We had to modify it to work around the problem. This is a different problem.

The CA cert fix you packaged in PPA works as expected.

Thanks!
Xing

debdiff for SRU to utopic

debdiff for SRU to trusty

Thanks Louis, I sponsored to trusty and utopic!

Hello Xing, or anyone else affected,

Accepted pywbem into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/pywbem/0.7.0-4ubuntu1~14.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Hello Xing, or anyone else affected,

Accepted pywbem into utopic-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/pywbem/0.7.0-4ubuntu1~14.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Xing,

Is it possible to test the package available in the - proposed pocket to confirm that it fixes the issue ?

Kind regards

...Louis

Louis,

Sure, we'll test it. Looks like I missed your earlier update.

Thanks,
Xing

Hello Xing,

Any update on your test results ? I can use the test code in the SRU template, but a verification from your side would be better to confirm that the package can be released publicly.

Kind regards,

...Louis

Hi Louis,

Sorry for the very late response! We did finally get a chance to test this and it works.

Thanks!
Xing

Hi Xing,

Thanks for the verification. I have now marked the bug as "verification-done". The SRU should homefully complete shortly

It would have been helpful to know which release was verified. Given that its rather simple, I'll test it myself.

This bug was fixed in the package pywbem - 0.7.0-4ubuntu1~14.04.1

---------------
pywbem (0.7.0-4ubuntu1~14.04.1) trusty; urgency=medium

  * Add CA Certificate verification from upstream
    Import commits r624, r625, r627 and r628 from upstream
    to implement CA Certificate verification (LP: #1385469)
 -- Louis Bouchard <email address hidden> Tue, 25 Nov 2014 12:04:31 +0100

The verification of the Stable Release Update for pywbem has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package pywbem - 0.7.0-4ubuntu1~14.10.1

---------------
pywbem (0.7.0-4ubuntu1~14.10.1) utopic; urgency=medium

  * Add CA Certificate verification from upstream
    Import commits r624, r625, r627 and r628 from upstream
    to implement CA Certificate verification (LP: #1385469)
 -- Louis Bouchard <email address hidden> Tue, 25 Nov 2014 12:40:30 +0100