use correct ssl version with urllib3 and pyopenssl

[stefanfoulis]

There are situations where get_max_tls_protocol() will get a max openssl version from python ssl that is higher than what urllib3 supports.

The error will be:

KeyError: 5

in requests/packages/urllib3/contrib/pyopenssl.py:271 on the line with ctx = OpenSSL.SSL.Context(_openssl_versions[ssl_version])

Using the following replacement for docker.ssladapter.ssladapter.get_max_tls_protocol() worked for me, but there might be other cases I am missing:

from requests.packages.urllib3.contrib import pyopenssl
def get_max_tls_protocol():
    protocols = ('PROTOCOL_TLSv1_2',
                 'PROTOCOL_TLSv1_1',
                 'PROTOCOL_TLSv1',
    for proto in protocols:
        if hasattr(ssl, proto):
            proto_id = getattr(ssl, proto)
            if proto_id in pyopenssl._openssl_versions:
                return proto_id

[posita]

FYI, this may result in docker-py raising a very confusing error:

...
  File "/.../lib/python2.7/site-packages/docker/client.py", line 325, in __init__
    super(AutoVersionClient, self).__init__(*args, **kwargs)
  File "/.../lib/python2.7/site-packages/docker/client.py", line 77, in __init__
    self._version = self._retrieve_server_version()
  File "/.../lib/python2.7/site-packages/docker/client.py", line 92, in _retrieve_server_version
    'Invalid response from docker daemon: key "ApiVersion"'
docker.errors.DockerException: Invalid response from docker daemon: key "ApiVersion" is missing.

This is because _retrieve_server_version is confusing the source of the KeyError:

    ...
    def _retrieve_server_version(self):
        try:
            # self.version raises a KeyError from pyopenssl here ...
            return self.version(api_version=False)["ApiVersion"]
        except KeyError:
            # ... which is then misinterpreted as having come from
            # the attempt to access the "ApiVersion" key here
            raise errors.DockerException(
                'Invalid response from docker daemon: key "ApiVersion"'
                ' is missing.'
            )
        ...

It should probably be rewritten. Here's one suggestion:

    def _retrieve_server_version(self):
        try:
            res = self.version(api_version=False)
        except Exception as e:
            raise errors.DockerException(
                'Error while fetching server API version: {0}'.format(e)
            )
        try:
            return res["ApiVersion"]
        except KeyError:
            raise errors.DockerException(
                'Invalid response from docker daemon: key "ApiVersion"'
                ' is missing.'
            )

[shin-]

I've investigated this issue,

the problem with the solution proposed is that importing pyopenssl raises the following exception if no additional packages are installed:

ImportError: No module named ndg.httpsclient.ssl_peer_verification

Installing this package requires additional system packages (libffi notably, which in turn requires python-dev and libssl on Ubuntu) - which is a no-go as far as I'm concerned, given we want to keep the installation and usage of docker-py simple and universal.

I'm confused as to why pyopenssl would raise a KeyError for any of those protocols. Can you provide more information about the platform you're running on, and the version of pyopenssl you have currently installed? Does upgrading pyopenssl to the latest version fix the issue?

[zbyte64]

I believe I am having the same issue (same error anyways). I uninstalled pyopenssl and reinstalled it:

python -c 'import ssl; print ssl.OPENSSL_VERSION'
OpenSSL 1.0.1f 6 Jan 2014
python -V
Python 2.7.11

Last line of the stack trace:

File "/home/jason/Repos/rethinkdb-factory/local/lib/python2.7/site-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 255, in ssl_wrap_socket
    ctx = OpenSSL.SSL.Context(_openssl_versions[ssl_version])
KeyError: 5

[shin-]

@zbyte64 Thanks. Can you share the output of pip freeze and what OS/version you're running on as well?

[zbyte64]

Ubuntu 14.04 LTS (with deadsnakes PPA so I get python 2.7.11 instead of 2.7.5)

pip freeze
Fabric==1.10.2
PyYAML==3.11
argparse==1.2.1
backports.ssl-match-hostname==3.5.0.1
boto3==1.2.3
botocore==1.3.17
cffi==1.5.0
cryptography==1.2.2
docker-compose==1.5.2
docker-py==1.6.0
dockerpty==0.3.4
docopt==0.6.2
docutils==0.12
ecdsa==0.13
enum34==1.1.2
falcon==0.3.0
functools32==3.2.3-2
futures==3.0.3
gunicorn==19.4.5
idna==2.0
ipaddress==1.0.16
jmespath==0.9.0
jsonschema==2.5.1
ndg-httpsclient==0.4.0
paramiko==1.16.0
pyOpenSSL==0.15.1
pyasn1==0.1.9
pycparser==2.14
pycrypto==2.6.1
python-dateutil==2.4.2
python-mimeparse==0.1.4
requests==2.7.0
rethinkdb==2.2.0-3
six==1.10.0
texttable==0.8.4
urllib3==1.14
websocket-client==0.35.0
wsgiref==0.1.2