Bug 1225912

Summary: python-requests: Setting requests.Session.verify to a directory results in an exception with Python3
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP5 Reporter: Andreas Hasenkopf <ahasenkopf>
Component: PythonAssignee: Daniel Garcia <daniel.garcia>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: daniel.garcia, meissner, msuchanek
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE Leap 15.5   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Hasenkopf 2024-06-04 10:01:31 UTC 
On Leap 15.5 with Python3 (and other products that use the same binary) one cannot set the `verify` attribute of a session instance to a directory. If one does, any request executed will raise this exception:

```
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 350, in ssl_wrap_socket
    context.load_verify_locations(ca_certs, ca_cert_dir, ca_cert_data)
IsADirectoryError: [Errno 21] Is a directory

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 678, in urlopen
    chunked=chunked,
  File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 983, in _validate_conn
    conn.connect()
  File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 371, in connect
    ssl_context=context,
  File "/usr/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 352, in ssl_wrap_socket
    raise SSLError(e)
urllib3.exceptions.SSLError: [Errno 21] Is a directory

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 495, in send
    timeout=timeout
  File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 728, in urlopen
    method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
  File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 439, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='www.suse.com', port=443): Max retries exceeded with url: / (Caused by SSLError(IsADirectoryError(21, 'Is a directory'),))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 579, in head
    return self.request('HEAD', url, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 544, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 657, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 560, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='www.suse.com', port=443): Max retries exceeded with url: / (Caused by SSLError(IsADirectoryError(21, 'Is a directory'),))
```

Steps to reproduce:

```
from ssl import get_default_verify_paths
from requests import Session

session = Session()
session.verify = get_default_verify_paths().capath
session.head("https://www.suse.com/")
```

The same happens with requests.get:

```
from ssl import get_default_verify_paths
import requests

requests.head("https://www.suse.com", verify=get_default_verify_paths().capath)
```

The problematic version of python3-requests is 2.25.1-150300.3.9.1.
Comment 1 Andreas Hasenkopf 2024-06-04 10:02:22 UTC 
I can confirm, that only 15.5 is affected.

I cannot reproduce the error with 15.4, 15.6 or TW.
Comment 2 Daniel Garcia 2024-06-04 11:03:09 UTC 
I'm investigating, it's directly related to the patch added during this bug resolution: https://bugzilla.suse.com/show_bug.cgi?id=1224788

 * upstream: https://github.com/psf/requests/pull/6655
Comment 3 Daniel Garcia 2024-06-04 12:35:40 UTC 
Related upstream commit: https://github.com/psf/requests/commit/9a40d1277807f0a4f26c9a37eea8ec90faa8aadc
Comment 5 Maintenance Automation 2024-06-19 12:30:17 UTC 
SUSE-RU-2024:2085-1: An update that has one fix can now be installed.

Category: recommended (moderate)
Bug References: 1225912
Maintenance Incident: [SUSE:Maintenance:34140](https://smelt.suse.de/incident/34140/)
Sources used:
openSUSE Leap 15.3 (src):
 python-requests-2.25.1-150300.3.12.2, python-requests-test-2.25.1-150300.3.12.2
openSUSE Leap Micro 5.3 (src):
 python-requests-2.25.1-150300.3.12.2
openSUSE Leap Micro 5.4 (src):
 python-requests-2.25.1-150300.3.12.2
openSUSE Leap 15.5 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Micro for Rancher 5.3 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Micro 5.3 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Micro for Rancher 5.4 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Micro 5.4 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Micro 5.5 (src):
 python-requests-2.25.1-150300.3.12.2
Basesystem Module 15-SP5 (src):
 python-requests-2.25.1-150300.3.12.2
Basesystem Module 15-SP6 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Desktop 15 SP4 LTSS 15-SP4 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Server 15 SP4 LTSS 15-SP4 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Server for SAP Applications 15 SP4 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Manager Proxy 4.3 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Manager Retail Branch Server 4.3 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Manager Server 4.3 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Enterprise Storage 7.1 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Micro 5.1 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Micro 5.2 (src):
 python-requests-2.25.1-150300.3.12.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src):
 python-requests-2.25.1-150300.3.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Daniel Garcia 2024-06-19 13:11:38 UTC 
The fix should be available now.
Comment 7 Maintenance Automation 2024-07-12 16:30:45 UTC 
SUSE-RU-2024:2085-2: An update that has one fix can now be installed.

Category: recommended (moderate)
Bug References: 1225912
Maintenance Incident: [SUSE:Maintenance:34140](https://smelt.suse.de/incident/34140/)
Sources used:
SUSE Linux Enterprise Micro 5.5 (src):
 python-requests-2.25.1-150300.3.12.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.