Not using pyOpenSSL on GAE Flexible environment seems to cause an infinite loop

[the-machinist]

Summary:

We use requests on a Google App Engine Flexible environment and saw an SSL-related infinite recursion occur after upgrading to 2.24.0. Reverting to 2.23.0 fixed it for now. Additionally, we were using eventlet and it seemed like we also had to replace eventlet with gevent.

Expected Result

Requests made over https work as normal

Actual Result

Traceback (most recent call last):
  File "/env/lib/python3.6/site-packages/flask/app.py", line 2446, in wsgi_app
    response = self.full_dispatch_request()
  File "/env/lib/python3.6/site-packages/flask/app.py", line 1951, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/env/lib/python3.6/site-packages/flask/app.py", line 1820, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/env/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
    raise value
  File "/env/lib/python3.6/site-packages/flask/app.py", line 1949, in full_dispatch_request
    rv = self.dispatch_request()
  File "/env/lib/python3.6/site-packages/flask/app.py", line 1935, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "/env/lib/python3.6/site-packages/requests/sessions.py", line 643, in send
    r = adapter.send(request, **kwargs)
  File "/env/lib/python3.6/site-packages/requests/adapters.py", line 449, in send
    timeout=timeout
  File "/env/lib/python3.6/site-packages/urllib3/connectionpool.py", line 677, in urlopen
    chunked=chunked,
  File "/env/lib/python3.6/site-packages/urllib3/connectionpool.py", line 381, in _make_request
    self._validate_conn(conn)
  File "/env/lib/python3.6/site-packages/urllib3/connectionpool.py", line 976, in _validate_conn
    conn.connect()
  File "/env/lib/python3.6/site-packages/urllib3/connection.py", line 344, in connect
    cert_reqs=resolve_cert_reqs(self.cert_reqs),
  File "/env/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 276, in create_urllib3_context
    context.options |= options
  File "/opt/python3.6/lib/python3.6/ssl.py", line 465, in options
    super(SSLContext, SSLContext).options.__set__(self, value)
  File "/opt/python3.6/lib/python3.6/ssl.py", line 465, in options
    super(SSLContext, SSLContext).options.__set__(self, value)
  File "/opt/python3.6/lib/python3.6/ssl.py", line 465, in options
    super(SSLContext, SSLContext).options.__set__(self, value)

Reproduction Steps

Add requests==2.24.0 to requirements.txt, and deploy a simple Flask app that makes a request using it

System Information

GAE Flexible Environment with Python 3

[nateprewitt]

Hi @the-machinist,

A change to how we import PyOpenSSL was made in 2.24.0 (#5443). We no longer prefer PyOpenSSL unless there isn't an available ssl library with SNI support from the base interpreter. There are a number of concerns about PyOpenSSL that have lead both Requests and urllib3 to deprioritize its usage.

Could you provide the output originally requested in this ticket with your environment and package setup? That'll help verify if we have an unexpected bug here. To get you unblocked in the meantime, you're still able to call urllib3.contrib.pyopenssl.inject_into_urllib3() to force injection of PyOpenSSL into your application.

[nateprewitt]

Resolving since we haven't received any further information.