cryptography and OpenSSL 1.0.2p

[eric-nok]

I'm trying to get cryptography and paramiko working on a Raspberry Pi. Using cryptography 2.3.1, OpenSSL 1.0.2p, and paramiko 2.4.2 to open an SSH connection givens the error:

cryptography.exceptions.UnsupportedAlgorithm: Backend object does not support secp256r1.

Is this expected with OpenSSL 1.0.2p?

Versions of Python, cryptography, cffi, pip, and setuptools you're using

Python: 3.6.1
cryptography: 2.3.1
cffi: 1.11.5
pip: 18.1
setup tools: 36.0.1
openssl: 1.0.2p

Running on Raspberry Pi 3+ with Raspbian Stretch and the Berryconda 2.0.0 distribution.

How you installed cryptography

Installed the Berryconda distribution.

Clear steps for reproducing your bug

Installed Berryconda; pip installed paramiko; ran:

import paramiko
t = paramiko.Transport(("127.0.0.1", 22))
t.connect(username="pi", password=<password>)

This gives error:

Unknown exception: Backend object does not support secp256r1.
Traceback (most recent call last):
  File "/home/producer/berryconda3/lib/python3.6/site-packages/paramiko/transport.py", line 2010, in run
    self._handler_table[ptype](self, m)
  File "/home/producer/berryconda3/lib/python3.6/site-packages/paramiko/transport.py", line 2126, in _negotiate_keys
    self.kex_engine.start_kex()
  File "/home/producer/berryconda3/lib/python3.6/site-packages/paramiko/kex_ecdh_nist.py", line 32, in start_kex
    self._generate_key_pair()
  File "/home/producer/berryconda3/lib/python3.6/site-packages/paramiko/kex_ecdh_nist.py", line 53, in _generate_key_pair
    self.P = ec.generate_private_key(self.curve, default_backend())
  File "/home/producer/berryconda3/lib/python3.6/site-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 287, in generate_private_key
    return backend.generate_elliptic_curve_private_key(curve)
  File "/home/producer/berryconda3/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1346, in generate_elliptic_curve_private_key
    _Reasons.UNSUPPORTED_ELLIPTIC_CURVE
cryptography.exceptions.UnsupportedAlgorithm: Backend object does not support secp256r1.

[eric-nok]

I also tried running pip install -U cryptography to install version 2.4.2. The error is:

Unknown exception: /home/producer/berryconda3/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: undefined symbol: OPENSSL_sk_num
Traceback (most recent call last):
  File "/home/producer/berryconda3/lib/python3.6/site-packages/paramiko/transport.py", line 2010, in run
    self._handler_table[ptype](self, m)
  File "/home/producer/berryconda3/lib/python3.6/site-packages/paramiko/transport.py", line 2126, in _negotiate_keys
    self.kex_engine.start_kex()
  File "/home/producer/berryconda3/lib/python3.6/site-packages/paramiko/kex_ecdh_nist.py", line 32, in start_kex
    self._generate_key_pair()
  File "/home/producer/berryconda3/lib/python3.6/site-packages/paramiko/kex_ecdh_nist.py", line 53, in _generate_key_pair
    self.P = ec.generate_private_key(self.curve, default_backend())
  File "/home/producer/berryconda3/lib/python3.6/site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/home/producer/berryconda3/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
    from cryptography.hazmat.backends.openssl.backend import backend
  File "/home/producer/berryconda3/lib/python3.6/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 62, in <module>
    from cryptography.hazmat.bindings.openssl import binding
  File "/home/producer/berryconda3/lib/python3.6/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 14, in <module>
    from cryptography.hazmat.bindings._openssl import ffi, lib
ImportError: /home/producer/berryconda3/lib/python3.6/site-packages/cryptography/hazmat/bindings/_openssl.abi3.so: undefined symbol: OPENSSL_sk_num

[reaperhulk]

Conda installs its own OpenSSL and links Python against it. When installing a Python package like cryptography we reuse the compiler flags that were used to build Python so the second error is likely due to a mismatch between the header files it is seeing in your include path and the library it is attempting to link against in your linker path.

We don't package cryptography for anything outside of pip itself so I'm not sure what's going on with the conda package. Looking at berryconda's OpenSSL config (https://github.com/jjhelmus/berryconda/blob/master/recipes/openssl/build.sh#L5) there's nothing special so secp256r1 should be available.

[eric-nok]

Thank you for the pointers, @reaperhulk. The issue has been resolved with an updated berryconda OpenSSL build jjhelmus/berryconda#58

[schors]

Sorry. I have a solution of this problem. Actually It's py-cryptography library build stage problem. This error occurs when two conditions are satisfied. First is openssl 1.1.0 and greater in the system so build utils prefers that. Second is header file "openssl/objects.h" from versions less than 1.1.0 so build utils prefers this file. "OBJ_cleanup" was deprecated in openssl 1.1.0. py-cryptography building process matches "openssl/objects.h" and objects.py (somewhere inside source code tree) to collecting binding's symbols. So ooops... It is required to explicitly set the headers file path. Like this:
CFLAGS="-I/opt/openssl/include" pip3 install -U cryptography
or this
LDFLAGS="-L/opt/openssl/lib -Wl,-rpath,/opt/openssl/lib" CFLAGS="-I/opt/openssl/include" pip3 install -U cryptography