[Python-apps-team] Bug#813313: [planet-venus] fails on SNI enabled websites

[anarcat]

Control: forwarded -1 https://github.com/jcgregorio/httplib2/issues/233 

On Wed, Feb 10, 2016 at 01:05:59AM +0100, Jakub Wilk wrote:
> * anarcat <anarcat at debian.org>, 2016-02-09, 09:33:
> >This is typical of Python apps that depend only on urllib and so on.
> 
> Not really. Python's stdlib supports SNI since 2.7.9, which was the first
> version that enabled certificate verification by default, and what's in
> jessie.
> 
> Here the culrprit is httplib2: [...]

You're right of course. Here's the upstream bug:

https://github.com/jcgregorio/httplib2/issues/233

httplib2 folks say that the problem doesn't appear in Python3, so maybe
Venus could run in Py3k? I actually doubt it, considering that software
hasn't been updated since well, 2010 or so...

The number of failed hosts keeps on growing in the meantime:

$ grep -c 'Server presented certificate that does not match host' planet.log.0
22

Note that those are not all let's encrypt certs, but they are probably
mostly SNI.

Those wishing to reproduce the issue can follow the instructions on the
wiki page here:

https://wiki.debian.org/PlanetDebian#test

Or simply run the bootstrap script:

http://anonscm.debian.org/viewvc/planet-debian/trunk/planet-bootstrap.sh?view=co&content-type=text%2Fplain

The faulty code in planet venus itself is in planet/spider.py, around
line 300, in the httpThread function. It *looks* like it could be fairly
easy to convert it to requests, as the API usage is fairly superficial.

A.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/python-apps-team/attachments/20160513/105148b7/attachment.sig>