TLS issues are always ignored

[eliasp]

When the API endpoint uses a self-signed/invalid/untrusted certificate, Pepper ignores this and connects anyway.

Thanks to badssl.com this can be easily reproduced by adding this section to ~/.pepperrc:

[tls-self-signed]
SALTAPI_URL=https://self-signed.badssl.com/
SALTAPI_USER=johndoe
SALTAPI_PASS=hunter2

Then execute pepper -p tls-self-signed '*' test.ping.

The result:

Error with request: HTTP Error 404: Not Found
HTTP Error 404: Not Found
Uncaught Pepper error (increase verbosity for the full traceback).

I wouldn't expect it to be able to get a 404 response, it should fail way before that when trying to establish the TLS connection.

Increasing the verbosity using -vvv shows:

Error with request
Traceback (most recent call last):
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 231, in req
    f = urlopen(req)
  File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.8/urllib/request.py", line 531, in open
    response = meth(req, response)
  File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 569, in error
    return self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found
Error with request: HTTP Error 404: Not Found
HTTP Error 404: Not Found
Uncaught Pepper error (increase verbosity for the full traceback).
Uncaught traceback:
Traceback (most recent call last):
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/script.py", line 52, in __call__
    for exit_code, result in self.cli.run():
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/cli.py", line 670, in run
    self.login(api)
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/cli.py", line 634, in login
    auth = login(**self.parse_login())
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 467, in login
    self.auth = self._send_auth('/login', **kwargs).get('return', [{}])[0]
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 449, in _send_auth
    return self.req(path, kwargs)
  File "/home/eprobst/.virtualenvs/pepper/lib/python3.8/site-packages/pepper/libpepper.py", line 231, in req
    f = urlopen(req)
  File "/usr/lib/python3.8/urllib/request.py", line 222, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib/python3.8/urllib/request.py", line 531, in open
    response = meth(req, response)
  File "/usr/lib/python3.8/urllib/request.py", line 640, in http_response
    response = self.parent.error(
  File "/usr/lib/python3.8/urllib/request.py", line 569, in error
    return self._call_chain(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 502, in _call_chain
    result = func(*args)
  File "/usr/lib/python3.8/urllib/request.py", line 649, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
urllib.error.HTTPError: HTTP Error 404: Not Found

I suspected the following code to cause the issue (wrongly negating _ssl_verify):

pepper/pepper/libpepper.py

Lines 226 to 231 in 8096e08

	try:
	if not (self._ssl_verify):
	con = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
	f = urlopen(req, context=con)
	else:
	f = urlopen(req)

but removing not didn't change the outcome, so I suspect there's something else going on.

Using:

• Python 3.8.10
• pepper 0.7.6
• salt 3003.1
• urllib 1.26.6
• certifi 2021.5.30
• requests 2.26.0

[tjyang]

@eliasp , Thanks for this dated report. This still happening on salt-master 3006.8 onedir instance.