New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL not working properly with Python 3, using both pyopenssl and builtin #1202

Closed
bb-migration opened this Issue Jan 12, 2013 · 10 comments

Comments

Projects
None yet
1 participant
@bb-migration

bb-migration commented Jan 12, 2013

Originally reported by: Anonymous


I have tested with both Python 3.2 and 3.3. I cannot get SSL to work unless I use Python 2.7.

The example code I used:

#!python

import cherrypy

class RootServer:
    def index(self, **keywords):
        return "it works!"
    index.exposed = True

if __name__ == '__main__':
    server_config={
        'server.socket_host': '0.0.0.0',
        'server.socket_port': 8080,

        'server.ssl_module':'pyopenssl',
        'server.ssl_certificate':'ssl/certificate.crt',
        'server.ssl_private_key':'server.key',
        'server.ssl_certificate_chain':'bundle.crt'
    }

    cherrypy.config.update(server_config)
    cherrypy.quickstart(RootServer())

I made sure pyopenssl is installed for Python 3.

Running the above code gives this output:

#!

[casper@zacko ~]$ python ssl.py
[12/Jan/2013:12:08:41] ENGINE Listening for SIGTERM.
[12/Jan/2013:12:08:41] ENGINE Listening for SIGHUP.
[12/Jan/2013:12:08:41] ENGINE Listening for SIGUSR1.
[12/Jan/2013:12:08:41] ENGINE Bus STARTING
CherryPy Checker:
The Application mounted at '' has an empty config.

[12/Jan/2013:12:08:41] ENGINE Started monitor thread '_TimeoutMonitor'.
[12/Jan/2013:12:08:41] ENGINE Started monitor thread 'Autoreloader'.
[12/Jan/2013:12:08:41] ENGINE Error in 'start' listener <bound method Server.start of <cherrypy._cpserver.Server object at 0x7f28a8833410>>
Traceback (most recent call last):
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 197, in publish
    output.append(listener(*args, **kwargs))
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpserver.py", line 150, in start
    self.httpserver, self.bind_addr = self.httpserver_from_self()
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpserver.py", line 141, in httpserver_from_self
    httpserver = _cpwsgi_server.CPWSGIServer(self)
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpwsgi_server.py", line 53, in __init__
    adapter_class = wsgiserver.get_ssl_adapter_class(ssl_module)
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/wsgiserver/wsgiserver3.py", line 1758, in get_ssl_adapter_class
    adapter = ssl_adapters[name.lower()]
KeyError: 'pyopenssl'

[12/Jan/2013:12:08:41] ENGINE Shutting down due to error in start listener:
Traceback (most recent call last):
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 235, in start
    self.publish('start')
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 215, in publish
    raise exc
cherrypy.process.wspbus.ChannelFailures: KeyError('pyopenssl',)

If I change the SSL module to 'builtin' I get no errors. It asks for the password, but after entering it nothing happens. Each time I try to access the site in a browser it will ask for the password again.

Should I enter it incorrectly an exception is thrown, which seems like correct behavior.


@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Jul 20, 2013

Original comment by Perlkonig (Bitbucket: Perlkonig, GitHub: Perlkonig):


I'm having the same problem (Python 3.3.0, CherryPy 3.2.4).

bb-migration commented Jul 20, 2013

Original comment by Perlkonig (Bitbucket: Perlkonig, GitHub: Perlkonig):


I'm having the same problem (Python 3.3.0, CherryPy 3.2.4).

@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Nov 12, 2013

Original comment by Sylvain Hellegouarch (Bitbucket: Lawouach, GitHub: Lawouach):


This should be seen as a blocker for the next release.

bb-migration commented Nov 12, 2013

Original comment by Sylvain Hellegouarch (Bitbucket: Lawouach, GitHub: Lawouach):


This should be seen as a blocker for the next release.

@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Dec 9, 2013

Original comment by Derek Litz (Bitbucket: dereklitz, GitHub: Unknown):


The bug report is a bit misleading... SSL works with Python3, but you cannot specify to use 'pyopenssl' because it only supports 'builtin'.

See line 1763 of wsgiserver3.py

bb-migration commented Dec 9, 2013

Original comment by Derek Litz (Bitbucket: dereklitz, GitHub: Unknown):


The bug report is a bit misleading... SSL works with Python3, but you cannot specify to use 'pyopenssl' because it only supports 'builtin'.

See line 1763 of wsgiserver3.py

@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Apr 16, 2014

Original comment by Florijan Hamzic (Bitbucket: florijanh, GitHub: Unknown):


Will this be fixed within some of the next 3.2.x versions?

I am trying to understand the problem here, is it such a lot of effort to port the CP_fileobject part to wsgiserver3?

bb-migration commented Apr 16, 2014

Original comment by Florijan Hamzic (Bitbucket: florijanh, GitHub: Unknown):


Will this be fixed within some of the next 3.2.x versions?

I am trying to understand the problem here, is it such a lot of effort to port the CP_fileobject part to wsgiserver3?

@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Aug 24, 2014

Original comment by Alexander Kharitonov (Bitbucket: alexkhv, GitHub: alexkhv):


I've solved the problem by commenting out line in server_config:
'server.ssl_module':'pyopenssl',

bb-migration commented Aug 24, 2014

Original comment by Alexander Kharitonov (Bitbucket: alexkhv, GitHub: alexkhv):


I've solved the problem by commenting out line in server_config:
'server.ssl_module':'pyopenssl',

@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Mar 4, 2015

Original comment by Florijan Hamzic (Bitbucket: florijanh, GitHub: Unknown):


I just run into this issue again:

here is what it makes possible to use CA certs with the builtin SSL provider

add the following parameter to this function in ./wsgiserver/ssl_builtin.py:

#!python

s = ssl.wrap_socket(sock, do_handshake_on_connect=True,
                                server_side=True, certfile=self.certificate,
                                keyfile=self.private_key,
                                ssl_version=ssl.PROTOCOL_SSLv23,
                                ca_certs=self.certificate_chain) <-

bb-migration commented Mar 4, 2015

Original comment by Florijan Hamzic (Bitbucket: florijanh, GitHub: Unknown):


I just run into this issue again:

here is what it makes possible to use CA certs with the builtin SSL provider

add the following parameter to this function in ./wsgiserver/ssl_builtin.py:

#!python

s = ssl.wrap_socket(sock, do_handshake_on_connect=True,
                                server_side=True, certfile=self.certificate,
                                keyfile=self.private_key,
                                ssl_version=ssl.PROTOCOL_SSLv23,
                                ca_certs=self.certificate_chain) <-
@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Mar 27, 2015

Original comment by Austin Steed (Bitbucket: asteed, GitHub: asteed):


Thank you Florijan! After looking in the source of ssl_builtin.py I noticed this as well, when cherrypy uses the "builtin" ssl, it simply stores the certificate_chain but doesn't actually use it.

I'm running python 3.4 w/ cherrypy 3.6

bb-migration commented Mar 27, 2015

Original comment by Austin Steed (Bitbucket: asteed, GitHub: asteed):


Thank you Florijan! After looking in the source of ssl_builtin.py I noticed this as well, when cherrypy uses the "builtin" ssl, it simply stores the certificate_chain but doesn't actually use it.

I'm running python 3.4 w/ cherrypy 3.6

@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration May 14, 2015

Original comment by decontaminatoR (Bitbucket: decontaminatoR, GitHub: Unknown):


@florijan, yes that works, but I also add after this:

#!python

    private_key = None
    """The filename of the server's private key file."""

I added this:

#!python
    certificate_chain = None
    """The filename of the certificate chain file."""

Pull request:
HERE

bb-migration commented May 14, 2015

Original comment by decontaminatoR (Bitbucket: decontaminatoR, GitHub: Unknown):


@florijan, yes that works, but I also add after this:

#!python

    private_key = None
    """The filename of the server's private key file."""

I added this:

#!python
    certificate_chain = None
    """The filename of the certificate chain file."""

Pull request:
HERE

@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Jan 21, 2016

Original comment by Mattias Fliesberg (Bitbucket: inty, GitHub: inty):


I ran into this too... This is kind of a major issue, would be nice if someone could merge this!

bb-migration commented Jan 21, 2016

Original comment by Mattias Fliesberg (Bitbucket: inty, GitHub: inty):


I ran into this too... This is kind of a major issue, would be nice if someone could merge this!

@bb-migration

This comment has been minimized.

Show comment
Hide comment
@bb-migration

bb-migration Jan 24, 2016

Original comment by Evgeny Petrov (Bitbucket: master_groosha, GitHub: Unknown):


How can I do this with CherryPy 4? Where should I add this? Should I monkeypatch anything?

bb-migration commented Jan 24, 2016

Original comment by Evgeny Petrov (Bitbucket: master_groosha, GitHub: Unknown):


How can I do this with CherryPy 4? Where should I add this? Should I monkeypatch anything?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment