#1253 InsecureRequestWarning with python-urllib3-1.10
Closed: Fixed None Opened 7 years ago by edewata.

pkispawn seems to be work fine but it generates some warnings with python-urllib3-1.10 which is the default on Fedora 22.

$ pkispawn ...
/usr/lib/python2.7/site-packages/requests/packages/urllib3/connectionpool.py:747: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.org/en/latest/security.html

See https://urllib3.readthedocs.org/en/latest/security.html#insecurerequestwarning

Per 10.2.3 Triage meeting of 02/26/2015: leave here until we know which release is on F22

This issue was encountered on a development build of Dogtag 10.2.2 on an x86_64-based Fedora 21 as well.

Per CS/DS meeting of 03/02/2015: 10.3

As with most security related issue, 'it works' doesn't imply that an operation is secure. The warning means that requests is unable to perform proper X.509 cert validation. The TLS/SSL connection is vulnerable to MitM attacks.

We have three options to fix the issue:

- Require Python 2.7.10 and newer.
- Require PyOpenSSL for Python < 2.7.10 and configure urllib3 to use PyOpenSSL
- Use NSS instead of OpenSSL, #1360 and https://github.com/tiran/requests_nss

Another option is to perform the proper cert validation by installing the cert chain for pkispawn. The admin could obtain the cert chain manually prior to installation, or the client could download it on the fly and ask the admin to trust it. If the pkispawn is connecting to a local Tomcat instance it just created, it might be able to obtain the cert chain directly from the file system.

The warning is not just about missing trust store. IIRC requests and urllib3 can't perform SNI and host name matching because the features are not available in Python 2.7.8 and older. Starting with Python 2.7.9 (not 2.7.10) the features are available.

With my code ‚Äčhttps://github.com/tiran/requests_nss we could use the NSS db for both client certs and trust anchors. It's probably easier than to force an admin to download and install even more certs.

Per Dogtag 10.2.6 TRIAGE meeting of 06/30/2015: 10.2.6 (critical)

Downgrading to 'major' per discussions.

Per impromptu 10.2.6 meeting of 7/17/2025: 10.2.7

Per CS/DS Meeting of 08/03/2015, it was determined that the bug identified a duplicate issue -- this issue must be:

  • resolved for the next re-spin of 10.2.6/10.2.7,
  • moved to 10.3 and release noted (in which case the associated bug must be moved to 9.1 target milestone)

Fixed temporarily in master: a6423245a01217a295091407dfcb8fe79e019342

The proper cert validation will be implemented in a separate ticket.

Metadata Update from @edewata:
- Issue assigned to cheimes
- Issue set to the milestone: 10.2.6

5 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.