-
Notifications
You must be signed in to change notification settings - Fork 269
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LibreSSL is lacking host and IP verify parameters #381
Comments
Thanks for the heads up - LibreSSL was forked from OpenSSL 1.0.1 and we do not guarantee that we will fully implement later OpenSSL APIs. That said, the OpenSSL 1.0.2 functions that you mention have come up before and we'll take another look at those. Re OpenSSL 1.1.x and Python 3.8/3.9, are you suggesting that Python is planning on dropping support for OpenSSL 1.0.x even though there is still no LTS release of OpenSSL 1.1 (the current release is only supported until 2018-08-31)? Presumably this is also likely to heading towards December 2019 (3.8) or June 2021 (3.9)? |
CPython development has very little resources to work on ssl. Our current approach to verify hostnames and IP addresses has multiple issues. OpenSSL 1.0.2 reaches EOL about the same time 3.9.0 is scheduled to release. We haven't decided a release date yet, the final will probably be released between December 2019 and February 2020. OpenSSL 1.0.2 supports ends 2019-12-31. Unless there are very compelling reasons, it doesn't make sense to hold back features and increase our maintenance burden. I'm willing to keep the basic features of Python's ssl module compatible with LibreSSL -- if and only if LibreSSL is kept fully compatible with required OpenSSL APIs. Hostname verification is such a feature. Some advanced features like env var are already documented as not supported when Python is compiled with LibreSSL. Could you please clarify your backwards compatibility statement on https://www.libressl.org/ ? It says
but that's no longer true. LibreSSL's libssl is no longer compatible with any supported OpenSSL version. |
After some discussion on the Python core developer list, I have decided to require OpenSSL 1.0.2 APIs. Every core developer in the discussion was in favor of using the new APIs. Python 3.7.0 beta1 will not by compatible with OpenSSL <= 1.0.1 or LibreSSL <= 2.6.4. Incompatibility with LibreSSL is only temporarily. I have implemented additional autoconf rules to test for required features and I'll keep all LibreSSL quirks. Python 3.7 will regain compatibility with LibreSSL as soon as you release a version which implements all required features. OpenSSL recommends the APIThe
X509_VERIFY_PARAM_set1_host resolves several Python issuesPython had multiple security issues just caused by incorrect or
|
Looks like server name verification in LibreSSL is handled by libtls and servername is set via |
@yan12125 libtls is a completely different beast - it has hostname verification enabled and required by default. You have to go out of your way to disable it, if you really want to do that. In comparison, as far as I know even with OpenSSL 1.1 you still have to explicitly request and enable hostname verification. @tiran for a long time we've provided the X509_check_* functionality - it is just the X509_VERIFY_PARAM_* functions that were not currently available. While OpenSSL "strongly advise" to use this interface, there is no reason that code cannot implement the same functionality via the existing API (and I fully understand Python wanting to remove its own verification code) (and there appears to be about twice an many pieces of software using the X509_check_* interface than the X509_VERIFY_PARAM_* one). I have just exposed the requested X509_VERIFY_PARAM_* functions, along with some others that are in the OpenSSL 1.0.2 API. If there is further functionality that you need, please let us know. |
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
For now, we are stuck with Python 3.6.8 because of an incomptibility with SSL: Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 * Compile Python with --enabled-shared on GNU/Linux too; * Display the SKIP envar only if set.
Cross-compiled Python can't find SSL symbols, so the _ssl module gets disabled. This makes it impossible to use pip in build-wheels.sh. When building Python, make prints at the end: ``` /usr/bin/arm-linux-gnueabihf-gcc -pthread -shared -L/usr/arm-linux-gnueabihf/lib -L/usr/arm-linux-gnueabihf/lib -L/usr/arm-linux-gnueabihf/lib -I/usr/arm-linux-gnueabihf/include -I/usr/arm-linux-gnueabihf/include build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/_ctypes.o build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/callbacks.o build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/callproc.o build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/stgdict.o build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/cfield.o -L/usr/arm-linux-gnueabihf/lib -L/usr/lib/arm-linux-gnueabihf -L/usr/local/lib -lffi -ldl -o build/lib.linux-armv7l-3.7/_ctypes.cpython-37m-arm-linux-gnueabihf.so *** WARNING: renaming "_ssl" since importing it failed: build/lib.linux-armv7l-3.7/_ssl.cpython-37m-arm-linux-gnueabihf.so: undefined symbol: sk_pop_free *** WARNING: renaming "_hashlib" since importing it failed: build/lib.linux-armv7l-3.7/_hashlib.cpython-37m-arm-linux-gnueabihf.so: undefined symbol: HMAC_CTX_init Python build finished successfully! The necessary bits to build these optional modules were not found: _bz2 _curses _curses_panel _dbm _gdbm _lzma _sqlite3 _tkinter _uuid readline To find the necessary bits, look in setup.py in detect_modules() for the module's name. The following modules found by detect_modules() in setup.py, have been built by the Makefile instead, as configured by the Setup files: _abc atexit pwd time Following modules built successfully but were removed because they could not be imported: _hashlib _ssl Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 ``` Comparing armv6 with armv7, I found the following differences: ``` docker run --rm -it -v C:/github/vosk-api:/io dtreskunov/vosk-api-build:linux-armv6.s1 bash -c "nm -g /opt/python/cp37-cp37m/lib/python3.7/lib-dynload/_ssl*.so $CROSS_ROOT/lib/*ssl.so| grep sk_pop_free" U sk_pop_free U OPENSSL_sk_pop_free@@OPENSSL_1_1_0 docker run --rm -it -v C:/github/vosk-api:/io dtreskunov/vosk-api-build:linux-armv7.s1 bash -c "nm -g /opt/python/cp37-cp37m/lib/python3.7/lib-dynload/_ssl*.so $CROSS_ROOT/lib/*ssl.so| grep sk_pop_free" U OPENSSL_sk_pop_free@@OPENSSL_1_1_0 U OPENSSL_sk_pop_free@@OPENSSL_1_1_0 docker run --rm -it -v C:/github/vosk-api:/io dtreskunov/vosk-api-build:linux-armv6.s1 bash -c "echo $LD" /usr/bin/arm-linux-gnueabihf-ld docker run --rm -it -v C:/github/vosk-api:/io dtreskunov/vosk-api-build:linux-armv7.s1 bash -c "echo $LD" /usr/xcc/armv7-unknown-linux-gnueabi/bin/armv7-unknown-linux-gnueabi-ld ```
Cross-compiled Python can't find SSL symbols, so the _ssl module gets disabled. This makes it impossible to use pip in build-wheels.sh. When building Python, make prints at the end: ``` /usr/bin/arm-linux-gnueabihf-gcc -pthread -shared -L/usr/arm-linux-gnueabihf/lib -L/usr/arm-linux-gnueabihf/lib -L/usr/arm-linux-gnueabihf/lib -I/usr/arm-linux-gnueabihf/include -I/usr/arm-linux-gnueabihf/include build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/_ctypes.o build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/callbacks.o build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/callproc.o build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/stgdict.o build/temp.linux-armv7l-3.7/tmp/tmp.SLba1rC4Nx/cpython-3.7.6/Modules/_ctypes/cfield.o -L/usr/arm-linux-gnueabihf/lib -L/usr/lib/arm-linux-gnueabihf -L/usr/local/lib -lffi -ldl -o build/lib.linux-armv7l-3.7/_ctypes.cpython-37m-arm-linux-gnueabihf.so *** WARNING: renaming "_ssl" since importing it failed: build/lib.linux-armv7l-3.7/_ssl.cpython-37m-arm-linux-gnueabihf.so: undefined symbol: sk_pop_free *** WARNING: renaming "_hashlib" since importing it failed: build/lib.linux-armv7l-3.7/_hashlib.cpython-37m-arm-linux-gnueabihf.so: undefined symbol: HMAC_CTX_init Python build finished successfully! The necessary bits to build these optional modules were not found: _bz2 _curses _curses_panel _dbm _gdbm _lzma _sqlite3 _tkinter _uuid readline To find the necessary bits, look in setup.py in detect_modules() for the module's name. The following modules found by detect_modules() in setup.py, have been built by the Makefile instead, as configured by the Setup files: _abc atexit pwd time Following modules built successfully but were removed because they could not be imported: _hashlib _ssl Could not build the ssl module! Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 ``` Comparing armv6 with armv7, I found the following differences: ``` docker run --rm -it -v C:/github/vosk-api:/io dtreskunov/vosk-api-build:linux-armv6.s1 bash -c "nm -g /opt/python/cp37-cp37m/lib/python3.7/lib-dynload/_ssl*.so $CROSS_ROOT/lib/*ssl.so| grep sk_pop_free" U sk_pop_free U OPENSSL_sk_pop_free@@OPENSSL_1_1_0 docker run --rm -it -v C:/github/vosk-api:/io dtreskunov/vosk-api-build:linux-armv7.s1 bash -c "nm -g /opt/python/cp37-cp37m/lib/python3.7/lib-dynload/_ssl*.so $CROSS_ROOT/lib/*ssl.so| grep sk_pop_free" U OPENSSL_sk_pop_free@@OPENSSL_1_1_0 U OPENSSL_sk_pop_free@@OPENSSL_1_1_0 docker run --rm -it -v C:/github/vosk-api:/io dtreskunov/vosk-api-build:linux-armv6.s1 bash -c "echo $LD" /usr/bin/arm-linux-gnueabihf-ld docker run --rm -it -v C:/github/vosk-api:/io dtreskunov/vosk-api-build:linux-armv7.s1 bash -c "echo $LD" /usr/xcc/armv7-unknown-linux-gnueabi/bin/armv7-unknown-linux-gnueabi-ld ```
During RHEL7 build on pp64 I got the following error: > Could not build the ssl module! > Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host(). > LibreSSL 2.6.4 and earlier do not provide the necessary APIs, libressl/portable#381 Explictly add /opt/at14/lib64 or /opt/at14/lib otherwise python can't find the correct openssl on RHEL7. Signed-off-by: Lucas A. M. Magalhaes <lamm@linux.ibm.com>
I just ran into this problem after installing python3.9.1 on my Coral Dev Board. i created a virtual environment but now PIP doesn't work; I can't even upgrade it and I can't install any packages. Then after installing and creating the venv, I get this when trying to add packages: and: "(.venv) mendel@xenial-tang:~$ pip install opencv-contrib-python Is there a fix for this? |
LibreSSL is not OpenSSL 1.0.2 compatible. It's lacking X509 verify parameters to verify hostname or IP address during TLS handshake. Python 3.7 will require a fully OpenSSL 1.0.2 compatible API and the X509 verify parameter functions to work.
https://www.openssl.org/docs/man1.0.2/crypto/X509_VERIFY_PARAM_set1_host.html
PS: You may want to start introducing OpenSSL 1.1.0 compatibility, too. Either Python 3.8 or 3.9 will require a fully OpenSSL 1.1 compatible API.
The text was updated successfully, but these errors were encountered: