-
-
Notifications
You must be signed in to change notification settings - Fork 367
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL not working #1298
Comments
Original comment by zoomorph (Bitbucket: zoomorph, GitHub: zoomorph): Best I can get... Using "pyopenssl" module: When sending HTTP to mysite:443 - "The client sent a plain HTTP request, but this server only speaks HTTPS on this port." When sending HTTPS - Nothing... browser fails to connect, CherryPy doesn't log anything. When using "builtin" module, I get this error when sending HTTP to mysite:443: Again nothing when connecting via HTTPS. |
Original comment by Nathan Kinder (Bitbucket: nkinder, GitHub: nkinder): This was broken in CherryPy 3.2.5 by commit 4f2ef8d. Specifically, the changes in the init method of the HttpConnection class prevent SSL from working at all. To test, I'm just using the HelloWorld() tutorial with SSL configured, and testing with curl. Here's what the failure looks like:
If I revert the changes in this area, I am able to get SSL to work correctly. |
Original comment by Nathan Kinder (Bitbucket: nkinder, GitHub: nkinder): I just tried my SSL test with PyPy 1.9.0 and the default branch of CherryPy, and it works fine with this code change:
|
Original comment by Nathan Kinder (Bitbucket: nkinder, GitHub: nkinder): I only had to revert the portion of the change that I mentioned in the diff above. Reverting the whole change breaks PyPy. It seems that PyPy doesn't have a problem with using the high level socket in this section of code. With this change, both Python and PyPy work for me (with and without SSL). There was also another report of SSL being broken with PyPy in issue #1293. This looks like a duplicate to me. I have asked the reporter to try the above fix to confirm that it works for him as well. |
Original comment by Nathan Kinder (Bitbucket: nkinder, GitHub: nkinder): I've submitted a pull request for this issue: https://bitbucket.org/cherrypy/cherrypy/pull-request/63/fix-issue-1298-ssl-not-working The reporter of SSL not working with PyPy in issue #1293 has also confirmed that this fix works for him using PyPy. |
Original comment by zoomorph (Bitbucket: zoomorph, GitHub: zoomorph): Hi Nathan, Changing those 2 lines, I received the following error using a nightly build of PyPy, and the latest CherryPy from the repo: File "/root/pypy-c-jit-69737-b03d8d46d83d-linux/site-packages/CherryPy-3.2.6-py2.7.egg/cherrypy/wsgiserver/wsgiserver2.py", line 1966, in start I tried this twice on 2 builds and both failed. Reverting those 2 lines, the error is gone, but SSL silently fails to work. Please try using a nightly build of PyPy. |
Original comment by Nathan Kinder (Bitbucket: nkinder, GitHub: nkinder): You are correct. I get the same failures using a local build of PyPy with source that I pulled from their repo today. It looks like ssl.wrap_socket() will only work with a socket.socket object. When SSL/TLS is not being used, PyPy requires the underlying internal socket (the _sock attribute of socket.socket). Fortunately, a SSL wrapped socket (ssl.SSLSocket) implements the _reuse() and _drop() methods that PyPy expects. I'm testing a patch that checks if we are dealing with a ssl.SSLSocket or not, and passes the SSL wrapped socket or the low-level socket (_sock) to CP_fileobject depending on what we have. This seems to work nicely with PyPy for both SSL/TLS and plain HTTPS cases using the "builtin" SSL module. I still want to run some tests with the "pyopenssl" SSL module as well as C Python before submitting a new pull request. |
Original comment by Nathan Kinder (Bitbucket: nkinder, GitHub: nkinder): It turns out that the "pyopenssl" module doesn't work the same as "builtin" here. That is, the OpenSSL.SSL.Connection class does not have _reuse() and _drop() methods, yet we must pass this high level object to CP_fileobject() for SSL/TLS to work. I'm beginning to think the easier route to take is to simply run CherryPy with Apache HTTPD since it has better SSL support, including client certificate authentication. |
Original comment by Paul Brown (Bitbucket: paul_brown_, GitHub: Unknown): I'm having this issue too: When sending HTTPS - Nothing... browser fails to connect, CherryPy doesn't log anything." I'm using: |
Original comment by Paul Brown (Bitbucket: paul_brown_, GitHub: Unknown): I switched to cherrypy==3.2.3 and it worked again. |
Original comment by Sylvain Hellegouarch (Bitbucket: Lawouach, GitHub: Lawouach): Unfortunately, as far as I can tell, SSL support is broken with 3.3 indeed. It just doesn't work anymore. What's more is that, there are strange behaviors with buffering and the SSL wrapper in previous releases as far as I can tell. |
Original comment by helix7 (Bitbucket: helix7, GitHub: helix7): After searching the Internet and finally checking out the code and stepping through the history, I came to the same conclusion as @nkinder and ended up here. For what it's worth, replacing The errors I have seen include:
|
Original comment by mikeazo (Bitbucket: mikeazo, GitHub: mikeazo): I have had the same SSL error with 3.5.0 and 3.6.0. To fix it, all I have to do is apply the patch @nkinder recommends and it works. Any idea when this fix will be released? Are there other issues that changing those lines might create? When I disable SSL, everything still works. |
Original comment by Jesper Reenberg (Bitbucket: jesper_reenberg, GitHub: Unknown): I also have this issue with 3.6.0 from pypi. After fixing sock._sock to sock as per above sugested, it works with ssl_module = 'pyopenssl' Please take this bug report seriously and apply the fix. |
Original comment by Sylvain Hellegouarch (Bitbucket: Lawouach, GitHub: Lawouach): Hello there, I apologise for the lack of response here these days. I do recognise this is a very critical bug that has annoyed us for too long. If people are happy with the suggested fix, so am I. However, we always need to ensure that we don't break the 3.x Python support whilst fixing for 2.x. I will definitely look at this over the weekend (sooner if I can). Thanks guys. |
Original comment by Sylvain Hellegouarch (Bitbucket: Lawouach, GitHub: Lawouach): Here's my findings:
If I do keep the ._sock attribute as per #1263, on Pypy, the server never answers HTTPS requests but only plain HTTP when using pyOpenSSL. Go figure. All in all, I have decided to reverse #1263 because we have so many users expecting ssl to work on CPython. However, this will break CP/SSL/PyPy/pyOpenSSL again. We will have to look into an appropriate solution that makes sense and doesn't add extra branching in a rather busy code. |
Original comment by sandeep balouria (Bitbucket: sbalouria, GitHub: Unknown): curl -sSk https://sm-west.usw1.aws.tidemark.net:8081/login -H'Accept: application/x-yaml' -d username=saltdev -d password=saltdev -d eauth=auto using CherryPy==3.8.0 |
….14. However, this will break pyOpenSSL on Pypy for now. Until we find the most appropriate solution that is
Originally reported by: Anonymous
Using a recent checkout of CherryPy 3.2.5 and a recent nightly build of PyPy, SSL support doesn't seem to work.
I have tried pyOpenSSL 0.12 (pypy version), pyOpenSSL 0.14, and CherryPy "builtin". In all cases, CherryPy starts up and runs fine, throws no errors, but I can't connect via HTTPS.
In production I'm using an older (circa 9 months) nightly build of PyPy, CherryPy 3.2.4 and pyOpenSSL 0.12 and it works fine.
My connection code:
The text was updated successfully, but these errors were encountered: