New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unknown OpenSSL error #2468
Comments
What Python are you using (Python.org?), what OpenSSL, and how did you install cryptography? |
Astounding response time! Here's the info. Python 2.7.10 |
I'm baffled how you would actually get it to compile against 0.9.8 in El Capitan. What do you see in /usr/include/openssl ? |
Oh wait I think I gave you unclear instructions. What happens if you do python -c "from cryptography.hazmat.backends.openssl.backend import backend;print(backend.openssl_version_text())" |
|
But yeah, I was a little shocked too, especially since Apple pulled the OpenSSL headers with this distribution. |
Well at least it's consistent. Could you wrap that in a catch block and then tell me what's in the exception? There should be an attribute on it called "errors" which will contain more information.
|
Sure thing, one sec. |
Yeah you're probably using our wheel, which is compiled statically against 1.0.2d. openssl on the command line continues to be apple's legacy version. why it's not working though... |
I just caught and printed the exception dictionary. Here it is.
|
Perfect, thanks. I can take a look at this once I get back to a computer. |
I'll look into the OpenSSL error in the mean time. Thanks! |
Okay, the error you're getting is ENGINE_R_CONFLICTING_ENGINE_ID, which is expected and handled in some places, but not at the call site we're seeing here. I'm kind of baffled how you're managing to cause this with just the |
Weird. This is pretty vague, but have you ever installed anything else that's OpenSSL related? Other libraries that use it, custom engines, anything like that? |
Nope. |
hello guys:
Mac Os: 10.11 OS X EI Capitan openssl version python version: |
Any hints ? :> |
We're getting a reasonable number of these reports, but we don't have a good solution as of yet (partially because we haven't been able to replicate it ourselves). :( |
The problem is solved by uninstall the 1.1 cryptography and install 1.0.2 version |
@chris-wood do you have this problem if you |
@chris-wood This is a bit of a hail-mary, but if you look at your shell environment, you wouldn't happen to have |
Ah, never mind, I was looking at the wrong diff; |
@chris-wood more relevant though - @reaperhulk originally asked you:
and you replied:
However (although useful information) this is not really what he was asking. The question is: where did you get your Python from? Your traceback, which includes a file in |
I believe this command line will tell you if you've got a
|
@reaperhulk That worked! 👍 @glyph Ah, I thought he was asking for the version. I am using the system-provided version. It's not relevant anymore though. Paul's fix did the trick. |
My "fix" is a downgrade to an older version though so we still need to solve the problem. I may have a PR for you to try today or tomorrow, although I still don't understand how this bug is occurring... |
Had the same problem with scrapy as @grhaonan. Couldn't do anything with pip (show, uninstall). Removed manually and did pip install cryptography==1.0.2 and it worked! OSX El Capitan |
@ernests @chris-wood @grhaonan - how did all of you install cryptography? |
Yeah—sudo pip install cryptography. On November 16, 2015 at 4:31:29 PM, Glyph (notifications@github.com) wrote:
|
We're pretty close to understanding this now. When cryptography is imported it attempts to initialize the OpenSSL library with a number of calls, including
Disabling SIP is a terrible solution (DO NOT DO THAT!), but fortunately the dlopen in question is occurring because we haven't compiled our OpenSSL with We'd still like to fully understand what SIP is doing here, so this fix won't make it into a new release immediately, but you can expect a 1.1.1 in the near future. |
I'm having the same issue and downgrading to 1.0.2 solved it for me. El Capitan 10.11.1 |
This is now resolved in 1.1.1. @chris-wood would you mind confirming? I've verified the fix (which actually has nothing to do with the code changes and everything to do with the way we compiled the wheel) in a VM, but more verification is never bad. I am going to close this as fixed for now though! |
@reaperhulk - so, I get that building with |
it's built with Why SIP denies dlopen when using a binary like /usr/bin/python is still an open question. I'd very much like to know the answer, but I don't know how to continue to investigate this. Apple has no documentation on what's going on here that I can find and I don't know of a forum where this sort of question wouldn't be met with "what are you talking about?". |
@reaperhulk All set! Thanks for the fix. |
I'm encountering the same issue even on 1.1.1 cryptography on Amazon EC2:
Other output from commands in this thread:
Downgrading to 1.0.2 did not resolve the issue for me. However, as I write this, I began testing my API calls multiple times (I'm running a Flask API behind WSGI under httpd) and I'm getting random success and failure. I might get ten success in a row followed by 2 failures or I might get a few failures and a few success. I realize this is likely the hardest type of issue to solve - it's like bringing your car in for service and it won't act up for the mechanic. |
@eric-tucker if you're running this using mod_wsgi please try setting |
Hi @reaperhulk . This setting did not help. Still seeing random success/failures. |
Huh, odd... This is almost certainly some type of threading/subinterpreter race condition, but without a way to reproduce it we're going to have a lot of difficulty tracking it down. What happens if you edit |
HI @reaperhulk. Unfortunately I don't have time to start debugging to this level. Our project is due too soon. I've reverted to running my API in AWS Lambda behind API Gateway. I may come back to this some day, but not anytime soon I imagine. Thanks though. |
reaperhulk, I use python2-cryptography version 1.3.1 with Apache httpd (mod_wsgi) on RHEL 7.* and I get this error whenever I restart httpd . I followed your suggestion (#2471) to replace /usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/bindings.py (below line) after which I cannot reproduce the error. If I revert the change, the problem can be reproduced. _openssl_assert(cls.lib, cls.lib.ERR_peek_error() == 0) with cls.lib.ERR_clear_error()? I see multiple bugs opened along this line. but I am not able to figure out if a fix for this problem is available in any of the latest versions. Please let me know. |
I am getting the same error. Here's my trace. "Traceback (most recent call last):" , "referer" : }, Using Python 3.6.2 |
I also get the same exception. |
But I have no right to paste trace log here. |
I am having the following problem on El Capitan (OS X). Is anyone else able to reproduce this?
The text was updated successfully, but these errors were encountered: