SSL not working properly with Python 3, using both pyopenssl and builtin

[ghost]

Originally reported by: Anonymous

---

I have tested with both Python 3.2 and 3.3. I cannot get SSL to work unless I use Python 2.7.

The example code I used:

#!python

import cherrypy

class RootServer:
    def index(self, **keywords):
        return "it works!"
    index.exposed = True

if __name__ == '__main__':
    server_config={
        'server.socket_host': '0.0.0.0',
        'server.socket_port': 8080,

        'server.ssl_module':'pyopenssl',
        'server.ssl_certificate':'ssl/certificate.crt',
        'server.ssl_private_key':'server.key',
        'server.ssl_certificate_chain':'bundle.crt'
    }

    cherrypy.config.update(server_config)
    cherrypy.quickstart(RootServer())

I made sure pyopenssl is installed for Python 3.

Running the above code gives this output:

#!

[casper@zacko ~]$ python ssl.py
[12/Jan/2013:12:08:41] ENGINE Listening for SIGTERM.
[12/Jan/2013:12:08:41] ENGINE Listening for SIGHUP.
[12/Jan/2013:12:08:41] ENGINE Listening for SIGUSR1.
[12/Jan/2013:12:08:41] ENGINE Bus STARTING
CherryPy Checker:
The Application mounted at '' has an empty config.

[12/Jan/2013:12:08:41] ENGINE Started monitor thread '_TimeoutMonitor'.
[12/Jan/2013:12:08:41] ENGINE Started monitor thread 'Autoreloader'.
[12/Jan/2013:12:08:41] ENGINE Error in 'start' listener <bound method Server.start of <cherrypy._cpserver.Server object at 0x7f28a8833410>>
Traceback (most recent call last):
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 197, in publish
    output.append(listener(*args, **kwargs))
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpserver.py", line 150, in start
    self.httpserver, self.bind_addr = self.httpserver_from_self()
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpserver.py", line 141, in httpserver_from_self
    httpserver = _cpwsgi_server.CPWSGIServer(self)
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpwsgi_server.py", line 53, in __init__
    adapter_class = wsgiserver.get_ssl_adapter_class(ssl_module)
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/wsgiserver/wsgiserver3.py", line 1758, in get_ssl_adapter_class
    adapter = ssl_adapters[name.lower()]
KeyError: 'pyopenssl'

[12/Jan/2013:12:08:41] ENGINE Shutting down due to error in start listener:
Traceback (most recent call last):
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 235, in start
    self.publish('start')
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 215, in publish
    raise exc
cherrypy.process.wspbus.ChannelFailures: KeyError('pyopenssl',)

If I change the SSL module to 'builtin' I get no errors. It asks for the password, but after entering it nothing happens. Each time I try to access the site in a browser it will ask for the password again.

Should I enter it incorrectly an exception is thrown, which seems like correct behavior.

---

• Bitbucket: https://bitbucket.org/cherrypy/cherrypy/issue/1202

[ghost]

Original comment by Perlkonig (Bitbucket: Perlkonig, GitHub: Perlkonig):

---

I'm having the same problem (Python 3.3.0, CherryPy 3.2.4).

[ghost]

Original comment by Sylvain Hellegouarch (Bitbucket: Lawouach, GitHub: Lawouach):

---

This should be seen as a blocker for the next release.

[ghost]

Original comment by Derek Litz (Bitbucket: dereklitz, GitHub: Unknown):

---

The bug report is a bit misleading... SSL works with Python3, but you cannot specify to use 'pyopenssl' because it only supports 'builtin'.

See line 1763 of wsgiserver3.py

[ghost]

Original comment by Florijan Hamzic (Bitbucket: florijanh, GitHub: Unknown):

---

Will this be fixed within some of the next 3.2.x versions?

I am trying to understand the problem here, is it such a lot of effort to port the CP_fileobject part to wsgiserver3?

[ghost]

Original comment by Alexander Kharitonov (Bitbucket: alexkhv, GitHub: alexkhv):

---

I've solved the problem by commenting out line in server_config:
'server.ssl_module':'pyopenssl',

[ghost]

Original comment by Florijan Hamzic (Bitbucket: florijanh, GitHub: Unknown):

---

I just run into this issue again:

here is what it makes possible to use CA certs with the builtin SSL provider

add the following parameter to this function in ./wsgiserver/ssl_builtin.py:

#!python

s = ssl.wrap_socket(sock, do_handshake_on_connect=True,
                                server_side=True, certfile=self.certificate,
                                keyfile=self.private_key,
                                ssl_version=ssl.PROTOCOL_SSLv23,
                                ca_certs=self.certificate_chain) <-

[ghost]

Original comment by Austin Steed (Bitbucket: asteed, GitHub: asteed):

---

Thank you Florijan! After looking in the source of ssl_builtin.py I noticed this as well, when cherrypy uses the "builtin" ssl, it simply stores the certificate_chain but doesn't actually use it.

I'm running python 3.4 w/ cherrypy 3.6

[ghost]

Original comment by decontaminatoR (Bitbucket: decontaminatoR, GitHub: Unknown):

---

@florijan, yes that works, but I also add after this:

#!python

    private_key = None
    """The filename of the server's private key file."""

I added this:

#!python
    certificate_chain = None
    """The filename of the certificate chain file."""

Pull request:
HERE

[ghost]

Original comment by Mattias Fliesberg (Bitbucket: inty, GitHub: inty):

---

I ran into this too... This is kind of a major issue, would be nice if someone could merge this!

[ghost]

Original comment by Evgeny Petrov (Bitbucket: master_groosha, GitHub: Unknown):

---

How can I do this with CherryPy 4? Where should I add this? Should I monkeypatch anything?