python-cinderclient

Support passing client certificates for mTLS connections

Bug #1915996 reported by Sri Harsha mekala on 2021-02-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	python-cinderclient	Fix Released	Medium	Sri Harsha mekala	python-cinderclient 7.4.1 "wallaby-final"

Bug Description

The get_server_version() [https://opendev.org/openstack/python-cinderclient/src/branch/master/cinderclient/client.py#L74] method fails to support passing client certificates.
When the server enforces strict mTLS, this request will fail with the below ssl error
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')]

>> from cinderclient import client as cinder_client
>> min_ver, max_ver = cinder_client.get_server_version(cin_url)
Traceback (most recent call last):
  File "~/python3.8/site-packages/urllib3/contrib/pyopenssl.py", line 485, in wrap_socket
    cnx.do_handshake()
  File "~/python3.8/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "~/python3.8/site-packages/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
    _raise_current_error()
  File "~/python3.8/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')]

Also currently the cinderclient doesn't support passing client certificate, key while initiating via httpclient method.

See original description

Tags:

Sri Harsha mekala (harshayahoo) on 2021-02-18

Changed in python-cinderclient:
assignee:	nobody → Sri Harsha mekala (harshayahoo)

Sofia Enriquez (lsofia-enriquez) on 2021-02-24

Changed in python-cinderclient:
importance:	Undecided → Medium
tags:	added: certificates version

Revision history for this message

Luigi Toscano (ltoscano) wrote on 2021-02-24:

Proposed change (until the launchpad/review.opendev.org integration is restored): https://review.opendev.org/c/openstack/python-cinderclient/+/776311/

Revision history for this message

Sofia Enriquez (lsofia-enriquez) wrote on 2021-03-02:

Just for the sake of completeness (coping last meeting comments for last week): this bug assumes that we support strict mTLS from cinderclient which i don't know is a reasonable assumption but worth fix it.

Revision history for this message

Sri Harsha mekala (harshayahoo) wrote on 2021-03-04:

One more related mTLS bug for cinder to glance communication:
https://review.opendev.org/c/openstack/cinder/+/778768

Sri Harsha mekala (harshayahoo) on 2021-03-05

description:

updated

Sri Harsha mekala (harshayahoo) on 2021-03-05

summary:

- Fetching server version fails to support passing client certificates
+ Support passing client certificates for mTLS connections

Sofia Enriquez (lsofia-enriquez) on 2021-03-08

Changed in python-cinderclient:
status:	New → In Progress

Brian Rosmaita (brian-rosmaita) on 2021-03-19

Changed in python-cinderclient:
milestone:	none → 7.4.1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-04-20: Fix merged to python-cinderclient (master)

Reviewed: https://review.opendev.org/c/openstack/python-cinderclient/+/776311
Committed: https://opendev.org/openstack/python-cinderclient/commit/9c2e8df94839412b4ccf13cc538c61af7c16ca2f
Submitter: "Zuul (22348)"
Branch: master

commit 9c2e8df94839412b4ccf13cc538c61af7c16ca2f
Author: sri harsha mekala <email address hidden>
Date: Wed Feb 17 21:03:53 2021 -0800

Support passing client certificates for server version requests

    Using the cinderclient to fetch server versions will fail with error
    `OpenSSL.SSL.Error: [sslv3 alert handshake failure]` when the server
    requires client certificates to be passed with these requests.

    Added the optional parameter `cert` to both get_server_version
    get_highest_client_server_version and methods so that users can have
    the option to pass client certificates while fetching server versions.

Also support passing mTLS certificate/key to HTTPClient

    Closes-Bug: #1915996
    Change-Id: I57c665dd9d4b8c32e5f10994d891d1e0f5315548
    Signed-off-by: sri harsha mekala <email address hidden>

Changed in python-cinderclient:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-07-22: Fix included in openstack/python-cinderclient 8.0.0

This issue was fixed in the openstack/python-cinderclient 8.0.0 release.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.