ssl broken for python > 2.7.9 #477
Comments
|
Here's a working polyfill which works with gevent 1.0 + cpython 2.7.9 # Re-add sslwrap to Python 2.7.9
import inspect
__ssl__ = __import__('ssl')
try:
_ssl = __ssl__._ssl
except AttributeError:
_ssl = __ssl__._ssl2
def new_sslwrap(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=__ssl__.CERT_NONE, ssl_version=__ssl__.PROTOCOL_SSLv23, ca_certs=None, ciphers=None):
context = __ssl__.SSLContext(ssl_version)
context.verify_mode = cert_reqs or __ssl__.CERT_NONE
if ca_certs:
context.load_verify_locations(ca_certs)
if certfile:
context.load_cert_chain(certfile, keyfile)
if ciphers:
context.set_ciphers(ciphers)
caller_self = inspect.currentframe().f_back.f_locals['self']
return context._wrap_socket(sock, server_side=server_side, ssl_sock=caller_self)
if not hasattr(_ssl, 'sslwrap'):
_ssl.sslwrap = new_sslwrap |
|
Guys, a serious 👍 on this. Amazon issued a mandatory update on their Python 2.7 RPMs that seems to be backporting some of these things from 2.7.9. I can't tell what they updated, but it fails as above. Took me a long time to trace the issue to this, and to figure out they issued this auto-update directive. I assume there should be more people coming this way because of this. I'd be very grateful if you can prioritize this. |
|
LIkewise. I just got hit too. It appears Amazon has backported these to their 2.7 Python RPMs, even though everything claims it is still 2.7.8. SOOO annoying. |
|
There's some discussion going on python bug tracker whether to restore _sslwrap or not. |
|
@ellimilial I am not really a Python person, and I could not compile @Eugeny 's changes using cpython as they were. Did you make some adjustments on it to make it work? |
|
@alexcpsec I forked from yesterday's master and applied the changes, then installed with pip: https://gist.github.com/ellimilial/5ef1d1917e00970d4457 Compiled on fresh Ubuntu 14.04 (python 2.7.8-1), but problems with compiling after installing some oldish python packages (breaking after gevent.corecext.c). |
|
@ellimilial Thanks! I'll give it a try |
|
This just bit us as well. |
|
the problem already appeared on debian |
|
+1 |
|
So the problem is not only with 2.7.9 (and then backported to 2.7.8) added arguments to ssl.SSLSocket. Old definition was (gevent has still it): New one is: // if someone needs a hack for this, then just add those to constructor and ignore, code will work (but host verification would not) And as other already mentioned, that "briliant" idea is backported to 2.7.8 on debian/ubuntu, while is't not (yet?) on fedora 21 |
|
Eugeny, your snippet fixed things for me. Thanks! |
|
This has hit us, too. Do we think there will be a fix soon that doesn't require an application patch that will likely need removing when ssl or gevent or both get updated? I need to set the higher ups' expectations. |
|
Is this an expected side effect of the issue? I'm on Yosemite 10.10.1 with Python 2.7.9 and I get this error after a gevent monkey patch. |
|
@mtsgrd that's exactly what I was talking about. So, yes it's "known". |
|
And could someone share their thoughts on side-effects by solving the above this way? mtsgrd@ae03921 edit: I see @pigmej suggests host verification is turned off when modifying the |
|
I had this same issue, but was able to correct it by adding @Eugeny's fix as a custom |
|
@josegonzalez this hasn't affected our Heroku apps in my domain yet. Can you confirm you see it on Heroku? As of yesterday, I now see this issue on Travis. |
|
I definitely saw this on heroku when I commented here last, so I downgraded my python to 2.7.8 to have it work. |
SSL changes with Python 2.7.9 break SSL under gevent. gevent/gevent#477
|
@iElectric you sure that patch works? i applied it to gevent 1.0.1 and that results in does anybody have a fix for this? |
|
Could you paste the whole traceback? Thanks!
|
|
FYI there's a $130 bounty on urllib3 for what I believe was this bug, who would be the appropriate person to claim it? |
|
If one of you would like to submit a claim on Bountysource, I think you can describe the appropriate split and ask them to distribute the bounty accordingly. :) (Might need to send an email once a claim has been submitted.) Let me know if I can help! |
|
Thanks you guys! Really helped me out! |
Using gevent 1.0.1 results in issues when accessing https sources with python 2.7.9:
2015-10-12 20:22:54,826 - combine.reaper - INFO - Fetching inbound URLs
2015-10-12 20:23:00,659 - combine.reaper - ERROR - Request <grequests.AsyncRequest object at 0x3c960746bd0> failed: TypeError("__init__() got an unexpected keyword argument 'server_hostname'",)
2015-10-12 20:23:00,659 - combine.reaper - ERROR - Request <grequests.AsyncRequest object at 0x3c960756490> failed: TypeError("__init__() got an unexpected keyword argument 'server_hostname'",)
2015-10-12 20:23:00,676 - combine.reaper - INFO - Fetching outbound URLs
2015-10-12 20:23:12,284 - combine.reaper - ERROR - Request <grequests.AsyncRequest object at 0x3c960772810> failed: TypeError("__init__() got an unexpected keyword argument 'server_hostname'",)
2015-10-12 20:23:12,284 - combine.reaper - ERROR - Request <grequests.AsyncRequest object at 0x3c95fe63790> failed: TypeError("__init__() got an unexpected keyword argument 'server_hostname'",)
2015-10-12 20:23:12,284 - combine.reaper - ERROR - Request <grequests.AsyncRequest object at 0x3c95fe4add0> failed: TypeError("__init__() got an unexpected keyword argument 'server_hostname'",)
2015-10-12 20:23:12,300 - combine.reaper - INFO - Storing raw feeds in harvest.json
See gevent/gevent#477 for details.
|
I'm using python 2.7.10 and gevent 1.0.1 |
To fix error: NameError: name 'PROTOCOL_SSLv3' is not defined See gevent/gevent#477
To fix error: NameError: name 'PROTOCOL_SSLv3' is not defined See gevent/gevent#477
To fix error: NameError: name 'PROTOCOL_SSLv3' is not defined See gevent/gevent#477
To fix error: NameError: name 'PROTOCOL_SSLv3' is not defined See gevent/gevent#477
To fix error: NameError: name 'PROTOCOL_SSLv3' is not defined See gevent/gevent#477
To fix error: NameError: name 'PROTOCOL_SSLv3' is not defined See gevent/gevent#477
* Add 'ignore_basepython_conflict' option (gevent#477) tox provides a number of default factors - py27, py34, py35 etc. - that are tied to particular interpreter versions. It is possible to override these through individual sections or the global [testenv] section. For example, consider the following 'tox.ini' file: [tox] skipsdist = True minversion = 2.0 distribute = False envlist = py35,py27,pep8,py34-test [testenv] basepython = python3 install_command = pip install {opts} {packages} commands = python --version [testenv:py27] basepython = python2.7 Running any target except for 'py27' will result in the same interpreter being used. On Fedora 28 with the 'python3-tox' package: $ tox -qq -e py27 Python 2.7.15 $ tox -qq -e py35 Python 3.6.5 $ tox -qq -e py34-test Python 3.6.5 This is broken by design. Overriding these makes no sense and is a source of common misconfigurations, as noted in gevent#477. The only sane thing to do here is ignore the request and use the correct interpreter or raise a warning. There is merit to both approaches, so this functionality is exposed by way of a new global configuration option, 'ignore_basepython_conflict'.
and others
eventlet/eventlet#135
2.7.9 removed _sslwrap which means that the gevent ssl.py will fail.
The text was updated successfully, but these errors were encountered: