SSL Errors - CherryPy Server - Version -> CherryPy==18.1.2

[further-i-go-less-i-know]

I'm submitting a ...

• bug report
• feature request
• question about the decisions made in the repository

Do you want to request a feature or report a bug?
Report bug

What is the current behavior?
Server throws traceback errors regarding the SSL certificate. Please see a couple of these errors as follows:

[28/Sep/2019:16:45:55] TOOLS.STATIC Content-Type: 'video/mp4'
[28/Sep/2019:16:45:55] TOOLS.STATIC Content-Disposition: None
[28/Sep/2019:16:45:55] TOOLS.STATIC Single part; start: 0, stop: 442686
[28/Sep/2019:16:54:33] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/server.py", line 1789, in serve
    self.tick()
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/server.py", line 1997, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/ssl/builtin.py", line 114, in wrap
    sock, do_handshake_on_connect=True, server_side=True,
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1051)

[28/Sep/2019:16:54:33] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/server.py", line 1789, in serve
    self.tick()
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/server.py", line 1997, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/ssl/builtin.py", line 114, in wrap
    sock, do_handshake_on_connect=True, server_side=True,
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1051)

If the current behavior is a bug, please provide the steps to reproduce and if possible a screenshots and logs of the problem. If you can, show us your code.

Please see the code here: https://github.com/further-i-go-less-i-know/cherrypie-ssl-errors/blob/master/ssl_errors.py

I think this is enough to show the SSL configuration and maybe to reproduce the error. The application code is not here but the SSL configuration for the cherrpy server is.

What is the expected behavior?

To not see errors in the cherrypy_errors.log file and to not have the application server crash then start with a 500 error from a cron job. ^_^

What is the motivation / use case for changing the behavior?
Motivation and use case is to have a more reliable server that does not throw errors.

Please tell us about your environment:

cheroot==6.5.5
CherryPy==18.1.2
Python 3.7.1

OS: Ubuntu 18.04.2 LTS
Browser: Firefox 69.0.1 64-bit
Web Browser: iOS 12 Safari

Other information (e.g. detailed explanation, stacktraces, related issues, suggestions how to fix, links for us to have context, e.g. stackoverflow, gitter, etc.)

Everything seems to work even when the traceback errors appear complaining about the bad SSL certificate. I am using "LetsEncrypt" certificates from my domain. I am supplying the certificate and the private key to the configuration area of cherrpy. This can be seen in a GitHub repo I created to debug this at the following URL: https://github.com/further-i-go-less-i-know/cherrypie-ssl-errors/blob/master/ssl_errors.py

Eventually, the application crashes. I have noticed that the application crashes about 1 time a week. Then I have a script that is called via cron. The server starts up but anything entered into the form field of the application will result in a 500 error when the submit button is clicked. The error in the logs is regarding a bad SSL cert. Please see the stracktraces for this error as follows. These errors were taken while the server is still running even while throwing these SSL errors. The green check mark in the browser is still there also. There are not any warnings or anything. Well anyway please see the stacktraces again as follows:

[28/Sep/2019:16:45:55] TOOLS.STATIC Content-Type: 'video/mp4'
[28/Sep/2019:16:45:55] TOOLS.STATIC Content-Disposition: None
[28/Sep/2019:16:45:55] TOOLS.STATIC Single part; start: 0, stop: 442686
[28/Sep/2019:16:54:33] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/server.py", line 1789, in serve
    self.tick()
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/server.py", line 1997, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/ssl/builtin.py", line 114, in wrap
    sock, do_handshake_on_connect=True, server_side=True,
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1051)

[28/Sep/2019:16:54:33] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/server.py", line 1789, in serve
    self.tick()
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/server.py", line 1997, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/home/user/folder/folder2/lib/python3.7/site-packages/cheroot/ssl/builtin.py", line 114, in wrap
    sock, do_handshake_on_connect=True, server_side=True,
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 412, in wrap_socket
    session=session
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 853, in _create
    self.do_handshake()
  File "/home/user/opt/python-3.7.1/lib/python3.7/ssl.py", line 1117, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1051)

Thank-you for reading all of this. :)

[webknjaz]

Is that the same traceback pasted twice?

[further-i-go-less-i-know]

In the logs the error appears like that. The error is thrown twice in other words. I did not paste it 2X. :)

[webknjaz]

I mean, there's one traceback in the other info section and behavior. Also, it looks like there's some duplicate text. Better paste the code here too.

[webknjaz]

Also, I don't see any process crash. It's just a traceback.

[further-i-go-less-i-know]

Oh, I posted the same 2 errors twice. 1 time in the "other information" section another time in the "what is the current behavior" section.

[further-i-go-less-i-know]

Yes, the application/process does not crash until about a week or so. The errors are thrown as shown though frequently.

[webknjaz]

So there's two separate problems:

1. the app crashing
2. some HTTP requests return 500 Internal Server Error

[further-i-go-less-i-know]

What about:
3. The SSL traceback errors?

[webknjaz]

2. == 3.

[further-i-go-less-i-know]

500 errors are normally not seen until I try and restart the crashed app server with cron.

The SSL tracebacks are peppered throughout the error log but do not seem to impact the functionality. What I mean is there are not any 500 errors thrown from the SSL tracebacks or as a result of the SSL traceback errors. ^_^

[webknjaz]

I can assure you that those exceptions cause the web-server to return 500 Internal Server Error.

Also, the restart scenario doesn't seem to be related. If new 500s appear then, look for tracebacks from those requests.

[further-i-go-less-i-know]

Interesting. Okay. Thank-you for the help with this. I should probably read more in the documentation. :)

[webknjaz]

FTR https://stackoverflow.com/a/26632986/595220 / https://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol

[webknjaz]

Maybe this could be reproduced by not having a CA that issued the server cert in the client's chain of trust.

[further-i-go-less-i-know]

Not sure what that means. I used the certificate from my domain that "letsencrypt" produced. 0_o

[further-i-go-less-i-know]

Should I produce my own cert and private key for the application instead of using the domain's CA and PK? There is some helpful information on how to generate these in the cherrypy documentation at the following URL: https://docs.cherrypy.org/en/latest/deploy.html?highlight=ssl#ssl-support

[webknjaz]

No, that's for self-signed certificates. I believe that some of your clients are sending you client certificates that you can't verify.

[further-i-go-less-i-know]

Interesting. Do the errors have anything to do with the fact that the application server is running on port 4200? Please see the attached screenshot sirs.

[webknjaz]

Unlikely. That's a limitation of SSL Labs.
TLS certs don't include ports in their CN: https://tools.ietf.org/html/rfc2818#section-3.1.