New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl broken on Debian (and derivatives), as of python 2.7.8-12 #513

Closed
csillag opened this Issue Nov 20, 2014 · 21 comments

Comments

Projects
None yet
@csillag

csillag commented Nov 20, 2014

In v2.7.8-12 of the Debian python suit, which was released 3 days ago, they added a patch, which, according to the changelog, "Allow building and testing without SSLv3 support"

In fact it removes many of the SSLv3-related constants, including ROTOCOL_SSLv3, which make gevent fail with a message similar to this:

  File "<whatever>/h/local/lib/python2.7/site-packages/gevent/ssl.py", line 386, in <module>
    def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
NameError: name 'PROTOCOL_SSLv3' is not defined

One could argue that it's not nice for a distribution to haphazardly remove constants that are still there in the upstream version, but these things happen, so... maybe gevent could do something about this?
(Like, maybe, move to 'PROTOCOL_SSLv23' instead?)

@csillag csillag referenced this issue Nov 20, 2014

Closed

SSLv3 problem #1704

@csillag

This comment has been minimized.

Show comment
Hide comment
@csillag

csillag Nov 21, 2014

(Like, maybe, move to 'PROTOCOL_SSLv23' instead?)

I mean here and here.

csillag commented Nov 21, 2014

(Like, maybe, move to 'PROTOCOL_SSLv23' instead?)

I mean here and here.

@tilgovi

This comment has been minimized.

Show comment
Hide comment
@tilgovi

tilgovi Nov 21, 2014

Python itself recently changed the default for this keyword arg: http://bugs.python.org/issue20896
Meanwhile, let the record show that I think Debian is doing a dumb thing by removing a public, documented constant from the standard library in a patch release.

tilgovi commented Nov 21, 2014

Python itself recently changed the default for this keyword arg: http://bugs.python.org/issue20896
Meanwhile, let the record show that I think Debian is doing a dumb thing by removing a public, documented constant from the standard library in a patch release.

@FedericoCeratto

This comment has been minimized.

Show comment
Hide comment
@csillag

This comment has been minimized.

Show comment
Hide comment
@csillag

csillag Nov 21, 2014

Yeah. And the fix they proposed is the same one I am suggesting.
(btw, I think the title of the bug misses the root cause: it's the the upgrade of openssl package, but the upgrade of python package that caused this.)

csillag commented Nov 21, 2014

Yeah. And the fix they proposed is the same one I am suggesting.
(btw, I think the title of the bug misses the root cause: it's the the upgrade of openssl package, but the upgrade of python package that caused this.)

@denik denik closed this in #517 Dec 9, 2014

theY4Kman added a commit to hivelocity/gevent that referenced this issue Jan 19, 2015

@Starefossen

This comment has been minimized.

Show comment
Hide comment
@Starefossen

Starefossen Mar 4, 2015

Ok, thanks a lot for fixing this issue, but we need a new version with this fix in. Any ETA on v1.0.2 @denik or @Ivoz?

Starefossen commented Mar 4, 2015

Ok, thanks a lot for fixing this issue, but we need a new version with this fix in. Any ETA on v1.0.2 @denik or @Ivoz?

@csillag

This comment has been minimized.

Show comment
Hide comment
@csillag

csillag Mar 25, 2015

Any ETA on v1.0.2 @denik or @Ivoz?

+1

csillag commented Mar 25, 2015

Any ETA on v1.0.2 @denik or @Ivoz?

+1

@bastianl

This comment has been minimized.

Show comment
Hide comment
@bastianl

bastianl Mar 26, 2015

Any ETA on v1.0.2 @denik or @Ivoz?

+1

bastianl commented Mar 26, 2015

Any ETA on v1.0.2 @denik or @Ivoz?

+1

@pcdinh

This comment has been minimized.

Show comment
Hide comment
@pcdinh

pcdinh Apr 3, 2015

@denik It is time for a new release. Lots of people are waiting for it

pcdinh commented Apr 3, 2015

@denik It is time for a new release. Lots of people are waiting for it

@AxelVoitier

This comment has been minimized.

Show comment
Hide comment
@AxelVoitier

AxelVoitier Apr 24, 2015

Yes, please!

This bug is biting anyone using gevent in a docker container using the official image for python, as it uses a debian image as a base...

AxelVoitier commented Apr 24, 2015

Yes, please!

This bug is biting anyone using gevent in a docker container using the official image for python, as it uses a debian image as a base...

@aleksandr-vin

This comment has been minimized.

Show comment
Hide comment
@aleksandr-vin

aleksandr-vin Apr 27, 2015

I'm too on the waiting list, guys!

aleksandr-vin commented Apr 27, 2015

I'm too on the waiting list, guys!

@dbrgn

This comment has been minimized.

Show comment
Hide comment
@dbrgn

dbrgn commented Apr 28, 2015

+1 here

@pedrudehuere

This comment has been minimized.

Show comment
Hide comment
@pedrudehuere

pedrudehuere commented Apr 28, 2015

+1 here

@lmanolov

This comment has been minimized.

Show comment
Hide comment
@lmanolov

lmanolov commented May 5, 2015

+1

@telbizov

This comment has been minimized.

Show comment
Hide comment
@telbizov

telbizov May 5, 2015

+1 here as well.

Jessie is now the Debian stable release as of a week ago. Just upgraded to it and my gevent based server experiences this problem.

Is there an ETA on releasing this in pip ?

telbizov commented May 5, 2015

+1 here as well.

Jessie is now the Debian stable release as of a week ago. Just upgraded to it and my gevent based server experiences this problem.

Is there an ETA on releasing this in pip ?

@baljanak

This comment has been minimized.

Show comment
Hide comment
@baljanak

baljanak commented May 6, 2015

+1

@jonblack

This comment has been minimized.

Show comment
Hide comment
@jonblack

jonblack May 6, 2015

It drives me nuts all these "me too" posts. I want to know when this is fixed, hence I'm subscribed, but I really don't need to be notified every time someone waves their hands frantically in the air because they want it fixed.

jonblack commented May 6, 2015

It drives me nuts all these "me too" posts. I want to know when this is fixed, hence I'm subscribed, but I really don't need to be notified every time someone waves their hands frantically in the air because they want it fixed.

@dbrgn

This comment has been minimized.

Show comment
Hide comment
@dbrgn

dbrgn May 6, 2015

The "+1" comments show to the maintainer that this is really an issue that affects a lot of people.

If people would use something like Zenhub they could +1 without commenting, thus solving that issue.

dbrgn commented May 6, 2015

The "+1" comments show to the maintainer that this is really an issue that affects a lot of people.

If people would use something like Zenhub they could +1 without commenting, thus solving that issue.

@tilgovi

This comment has been minimized.

Show comment
Hide comment
@tilgovi

tilgovi May 6, 2015

It's maybe worth asking if anyone knows @denik and whether they are okay. It's been five months since the last commit on master and since December that they last had any public activity on GitHub.

Is @denik okay?
Does the project need help from additional maintainers?

tilgovi commented May 6, 2015

It's maybe worth asking if anyone knows @denik and whether they are okay. It's been five months since the last commit on master and since December that they last had any public activity on GitHub.

Is @denik okay?
Does the project need help from additional maintainers?

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost May 6, 2015

Hey,

Agreed, we really need a release to fix these SSL issues, and really need
to know if the project is still maintained and/or need maintainers...

Please revert.

Thanks.

2015-05-06 16:49 GMT+02:00 Randall Leeds notifications@github.com:

It's maybe worth asking if anyone knows @denik https://github.com/denik
and whether they are okay. It's been five months since the last commit on
master and since December that they last had any public activity on GitHub.

Is @denik https://github.com/denik okay?
Does the project need help from additional maintainers?


Reply to this email directly or view it on GitHub
#513 (comment).

ghost commented May 6, 2015

Hey,

Agreed, we really need a release to fix these SSL issues, and really need
to know if the project is still maintained and/or need maintainers...

Please revert.

Thanks.

2015-05-06 16:49 GMT+02:00 Randall Leeds notifications@github.com:

It's maybe worth asking if anyone knows @denik https://github.com/denik
and whether they are okay. It's been five months since the last commit on
master and since December that they last had any public activity on GitHub.

Is @denik https://github.com/denik okay?
Does the project need help from additional maintainers?


Reply to this email directly or view it on GitHub
#513 (comment).

@jamadden

This comment has been minimized.

Show comment
Hide comment
@jamadden

jamadden May 6, 2015

Member

@tilgovi I exchanged emails with @denik on the subject of additional maintainers yesterday. I don't want to put words in anybody's mouth or quote out of context, though.

Member

jamadden commented May 6, 2015

@tilgovi I exchanged emails with @denik on the subject of additional maintainers yesterday. I don't want to put words in anybody's mouth or quote out of context, though.

@tilgovi

This comment has been minimized.

Show comment
Hide comment
@tilgovi

tilgovi May 6, 2015

@jamadden that's great to hear. Thank you. I was beginning to be less worried about the project as I was about @denik :).

tilgovi commented May 6, 2015

@jamadden that's great to hear. Thank you. I was beginning to be less worried about the project as I was about @denik :).

slamora added a commit to glic3rinu/confine-controller that referenced this issue Jun 11, 2015

Upgrade to gevent==1.0.2 that drops unsecure SSLv3.
Python 2.7.9 in Debian is built without support for SSLv3. As this
constant is unavailable, previous versions of gevent fail on these
systems.
gevent/gevent#513

slamora added a commit to glic3rinu/confine-controller that referenced this issue Jun 17, 2015

Upgrade to gevent==1.0.2 that drops unsecure SSLv3.
Python 2.7.9 in Debian is built without support for SSLv3. As this
constant is unavailable, previous versions of gevent fail on these
systems.
gevent/gevent#513

sylvain-garancher added a commit to syleam/odoo that referenced this issue Jul 22, 2015

[FIX] Upgrade gevent to 1.0.2, that drops unsecure SSLv3
gevent 1.0.1 cannot be built on last Debian versions
gevent/gevent#513
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment