ssl broken on Debian (and derivatives), as of python 2.7.8-12

[csillag]

In v2.7.8-12 of the Debian python suit, which was released 3 days ago, they added a patch, which, according to the changelog, "Allow building and testing without SSLv3 support"

In fact it removes many of the SSLv3-related constants, including ROTOCOL_SSLv3, which make gevent fail with a message similar to this:

  File "<whatever>/h/local/lib/python2.7/site-packages/gevent/ssl.py", line 386, in <module>
    def get_server_certificate(addr, ssl_version=PROTOCOL_SSLv3, ca_certs=None):
NameError: name 'PROTOCOL_SSLv3' is not defined

One could argue that it's not nice for a distribution to haphazardly remove constants that are still there in the upstream version, but these things happen, so... maybe gevent could do something about this?
(Like, maybe, move to 'PROTOCOL_SSLv23' instead?)

[csillag]

(Like, maybe, move to 'PROTOCOL_SSLv23' instead?)

I mean here and here.

[tilgovi]

Python itself recently changed the default for this keyword arg: http://bugs.python.org/issue20896
Meanwhile, let the record show that I think Debian is doing a dumb thing by removing a public, documented constant from the standard library in a patch release.

[FedericoCeratto]

Related to https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770276 and https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770157

Also see urllib3/urllib3#487 (comment)
ssl.PROTOCOL_SSLv3 is being removed due to the POODLE vulnerability: https://access.redhat.com/articles/1232123

[csillag]

Yeah. And the fix they proposed is the same one I am suggesting.
(btw, I think the title of the bug misses the root cause: it's the the upgrade of openssl package, but the upgrade of python package that caused this.)

[Starefossen]

Ok, thanks a lot for fixing this issue, but we need a new version with this fix in. Any ETA on v1.0.2 @denik or @Ivoz?

[csillag]

Any ETA on v1.0.2 @denik or @Ivoz?

+1

[bastianlb]

Any ETA on v1.0.2 @denik or @Ivoz?

+1

[pcdinh]

@denik It is time for a new release. Lots of people are waiting for it

[AxelVoitier]

Yes, please!

This bug is biting anyone using gevent in a docker container using the official image for python, as it uses a debian image as a base...

[aleksandr-vin]

I'm too on the waiting list, guys!

[dbrgn]

+1 here

[pedrudehuere]

+1 here

[lmanolov]

+1

[telbizov]

+1 here as well.

Jessie is now the Debian stable release as of a week ago. Just upgraded to it and my gevent based server experiences this problem.

Is there an ETA on releasing this in pip ?

[baljanak]

+1

[jonblack]

It drives me nuts all these "me too" posts. I want to know when this is fixed, hence I'm subscribed, but I really don't need to be notified every time someone waves their hands frantically in the air because they want it fixed.

[dbrgn]

The "+1" comments show to the maintainer that this is really an issue that affects a lot of people.

If people would use something like Zenhub they could +1 without commenting, thus solving that issue.

[tilgovi]

It's maybe worth asking if anyone knows @denik and whether they are okay. It's been five months since the last commit on master and since December that they last had any public activity on GitHub.

Is @denik okay?
Does the project need help from additional maintainers?

[ghost]

Hey,

Agreed, we really need a release to fix these SSL issues, and really need
to know if the project is still maintained and/or need maintainers...

Please revert.

Thanks.

2015-05-06 16:49 GMT+02:00 Randall Leeds notifications@github.com:

It's maybe worth asking if anyone knows @denik https://github.com/denik
and whether they are okay. It's been five months since the last commit on
master and since December that they last had any public activity on GitHub.

Is @denik https://github.com/denik okay?
Does the project need help from additional maintainers?

—
Reply to this email directly or view it on GitHub
#513 (comment).

[jamadden]

@tilgovi I exchanged emails with @denik on the subject of additional maintainers yesterday. I don't want to put words in anybody's mouth or quote out of context, though.

[tilgovi]

@jamadden that's great to hear. Thank you. I was beginning to be less worried about the project as I was about @denik :).