python-jujuclient

SSL handshake fails on xenial, yakkety, zesty

Bug #1644153 reported by Chris Glass
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
python-jujuclient
New
Undecided
Unassigned
python-jujuclient (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
Fix Released
High
Unassigned
Zesty
Fix Released
High
Unassigned

Bug Description

[Impact]

 * The python Juju client cannot make SSL connections to the server anymore, because TLS v1.0 was deprecated on the server.
 * Switching to TLS v1.2 fixes the problem entirely.
 * Example failure: http://pastebin.ubuntu.com/23521446/

[Test case]

Steps to reproduce (works in a container, needs a valid juju environment):

 * Install juju 1.25: sudo apt-get install juju-1-default juju-1.25
 * Install the package: sudo apt-get install python-jujuclient
 * Set up an environment (ec2 works for instance)
 * Bootstrap environment: "juju bootstrap # Note your environment's name"
 * Run: python -c 'from jujuclient import Environment; Environment.connect("<your environment's name>")'

[Regression Potential]

 * None - the package is completely unusable in its current state because of server changes. It can't get any worse :)

[Other Info]

 * The attached patch is the minimal fix - forcing Python to connect over TLS 1.2 instead of forcing TLS 1.0.
 * TLS 1.2 connectivity is available in all targeted releases.
 * lp:python-jujuclient (upstream) is not affected by the problem, but the code is much diverged from the version in the archives, with way too many changes for a SRU.

See original description
Chris Glass (tribaal)
description: updated
description: updated
description: updated
Revision history for this message
Chris Glass (tribaal) wrote :

To fix the version in the archive on Xenial, the following patch can be applied to the package: https://paste.ubuntu.com/23521491/

Revision history for this message
Chris Glass (tribaal) wrote :

(for what it's worth, the systems we use have ppa:juju/stable installed, so adding the fix to that PPA would unblock many users already)

Revision history for this message
Chris Glass (tribaal) wrote :

Patch against the Xenial package.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "switch-to-tls12" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Chris Glass (tribaal) wrote :

Debdiff against the current Ubuntu release (zesty)'s version.

Chris Glass (tribaal)
summary: - SSL handshake fails on xenial
+ SSL handshake fails on xenial, yakkety, zesty
Revision history for this message
Chris Glass (tribaal) wrote :

Once this gets into zesty I shall open another bug for the SRU into yakkety and xenial.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in python-jujuclient (Ubuntu):
status: New → Confirmed
Chris Glass (tribaal)
description: updated
description: updated
Chris Glass (tribaal)
description: updated
Revision history for this message
Daniel Holbach (dholbach) wrote :

Let's re-use this bug report for xenial and yakkety too.

Chris Glass (tribaal)
description: updated
Revision history for this message
Chris Glass (tribaal) wrote :

I re-ran the outlined test-sequence without adding the juju-stable PPA (like I originally did) to make sure this bug is not a side-effect of the PPA.

It is not. It is reproducible on vanilla distro as outlined in the description.

description: updated
Revision history for this message
Chris Glass (tribaal) wrote :

Yakkety debdiff

Revision history for this message
Chris Glass (tribaal) wrote :

Xenial debdiff

Revision history for this message
Daniel Holbach (dholbach) wrote :

All patches uploaded.

Changed in python-jujuclient (Ubuntu Xenial):
status: New → Fix Committed
Changed in python-jujuclient (Ubuntu Yakkety):
status: New → Fix Committed
Changed in python-jujuclient (Ubuntu Zesty):
status: Confirmed → Fix Committed
Mathew Hodson (mhodson)
Changed in python-jujuclient (Ubuntu Xenial):
importance: Undecided → High
Changed in python-jujuclient (Ubuntu Zesty):
importance: Undecided → High
Changed in python-jujuclient (Ubuntu Yakkety):
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-jujuclient - 0.50.5-0ubuntu2

---------------
python-jujuclient (0.50.5-0ubuntu2) zesty; urgency=medium

  * Add patch to use TLSv1.2 since Juju dropped TLSv1 (LP: #1644153)

 -- Christopher Glass (Ubuntu) <email address hidden> Wed, 23 Nov 2016 12:43:10 +0000

Changed in python-jujuclient (Ubuntu Zesty):
status: Fix Committed → Fix Released
Revision history for this message
Steve Langasek (vorlon) wrote : Please test proposed package

Hello Chris, or anyone else affected,

Accepted python-jujuclient into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-jujuclient/0.50.5-0ubuntu2~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Revision history for this message
Steve Langasek (vorlon) wrote :

Hello Chris, or anyone else affected,

Accepted python-jujuclient into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python-jujuclient/0.50.5-0ubuntu2~16.10 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Bryan Quigley (bryanquigley)
tags: added: verification-done-xenial verification-needed-yakkety
removed: verification-needed
Bryan Quigley (bryanquigley)
tags: added: verification-done-yakkety
removed: verification-needed-yakkety
Revision history for this message
Brian Murray (brian-murray) wrote :

Bryan - can you add some information about the test you ran and the package versions you used? The SRU team frowns upon just tagging the bug verification-done.

tags: added: verification-needed-xenial verification-needed-yakkety
removed: verification-done-xenial verification-done-yakkety
Revision history for this message
Bryan Quigley (bryanquigley) wrote :

@brian-murray.. Oh I though that was recommended.. Adding a comment makes it not green in the SRU tracker.

For both releases I confirmed that juju-deployer was not working (with SSL/TLS error). Then I installed the --proposed package and re ran juju-deployer (specifically to deploy mysql IIRC) and it worked fine.

Bryan Quigley (bryanquigley)
tags: added: verification-done-xenial verification-done-yakkety
removed: verification-needed-xenial verification-needed-yakkety
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-jujuclient - 0.50.5-0ubuntu2~16.04

---------------
python-jujuclient (0.50.5-0ubuntu2~16.04) xenial-proposed; urgency=medium

  * Add patch to use TLSv1.2 since Juju dropped TLSv1 (LP: #1644153)

 -- Christopher Glass (Ubuntu) <email address hidden> Mon, 28 Nov 2016 10:56:30 +0000

Changed in python-jujuclient (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Update Released

The verification of the Stable Release Update for python-jujuclient has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python-jujuclient - 0.50.5-0ubuntu2~16.10

---------------
python-jujuclient (0.50.5-0ubuntu2~16.10) yakkety-proposed; urgency=medium

  * Add patch to use TLSv1.2 since Juju dropped TLSv1 (LP: #1644153)

 -- Christopher Glass (Ubuntu) <email address hidden> Mon, 28 Nov 2016 10:56:30 +0000

Changed in python-jujuclient (Ubuntu Yakkety):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.