New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traceback "ENGINE Error in HTTPServer.tick" with unaccepted SSL/TLS connections #820

Closed
sanderjo opened this Issue Feb 14, 2017 · 8 comments

Comments

Projects
None yet
3 participants
@sanderjo
Contributor

sanderjo commented Feb 14, 2017

SABnzb 1.2.1Beta1 / Python 2.7.12 / Ubuntu 16.10

TL;DR: SABnzbd gives a Traceback in case of a problem with an incoming SSL/TLS connection. I would prefer an informing log line.

Disclaimer: I'm assuming it's OK that SAB refuses these connections, but I'm not sure

As soon as testssl.sh starts testing SABnbzd's HTTPS, SABnzbd spits out a lot (200!) of Tracebacks SSL error messages. See below.

ENGINE Error in HTTPServer.tick Traceback (most recent call last):
followed by
SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:590)
or
SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:590)

How relevant is this? This does happen too when normal HTTPS clients SABnzbd's HTTPS. See https://forums.sabnzbd.org/viewtopic.php?f=2&t=22369&p=110844 and maybe https://forums.sabnzbd.org/viewtopic.php?f=3&t=22425&p=110821 (different message)

I think the Tracebacks are too alarming. I think it would be better if there was just a informing message in sabnzbd.log (INFO or DEBUG)

2017-02-14 07:39:59,421::ERROR::[_cplogging:219] [14/Feb/2017:07:39:59] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/__init__.py", line 2024, in start
    self.tick()
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/__init__.py", line 2091, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/ssl_builtin.py", line 67, in wrap
    server_side=True)
  File "/usr/lib/python2.7/ssl.py", line 353, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 601, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 830, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:590)

and

2017-02-14 07:39:59,475::ERROR::[_cplogging:219] [14/Feb/2017:07:39:59] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/__init__.py", line 2024, in start
    self.tick()
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/__init__.py", line 2091, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/ssl_builtin.py", line 67, in wrap
    server_side=True)
  File "/usr/lib/python2.7/ssl.py", line 353, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 601, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 830, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:590)

@sanderjo sanderjo changed the title from Traceback "ENGINE Error in HTTPServer.tick" with strange SSL/TLS connections to Traceback "ENGINE Error in HTTPServer.tick" with unaccepted SSL/TLS connections Feb 14, 2017

@Safihre

This comment has been minimized.

Member

Safihre commented Feb 14, 2017

@sanderjo can you test the new branch:
bugfix/ssl_catch

@Safihre Safihre added the Confirmed label Feb 14, 2017

@Safihre Safihre added this to the 1.2.1 milestone Feb 14, 2017

@sanderjo

This comment has been minimized.

Contributor

sanderjo commented Feb 14, 2017

The traceback on SAB's side is easy to reproduce:

NB: SABnzbd 1.2.1Beta1. NOT the new branch!!

Client side code:

import socket
import ssl

# SET VARIABLES
packet, reply = "<packet>SOME_DATA</packet>", ""
HOST, PORT = '127.0.0.1', 9090

# CREATE SOCKET
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(10)

# WRAP SOCKET
wrappedSocket = ssl.wrap_socket(sock, ssl_version=ssl.PROTOCOL_TLSv1, ciphers="ADH-AES256-SHA")

# CONNECT AND PRINT REPLY
wrappedSocket.connect((HOST, PORT))
wrappedSocket.send(packet)
print wrappedSocket.recv(1280)

# CLOSE SOCKET CONNECTION
wrappedSocket.close()

Client reports:

$ python python_specific_cypher.py 
Traceback (most recent call last):
  File "python_specific_cypher.py", line 16, in <module>
    wrappedSocket.connect((HOST, PORT))
  File "/usr/lib/python2.7/ssl.py", line 866, in connect
    self._real_connect(addr, False)
  File "/usr/lib/python2.7/ssl.py", line 857, in _real_connect
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 830, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)

SAB's traceback:

2017-02-14 08:02:21,549::ERROR::[_cplogging:219] [14/Feb/2017:08:02:21] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/__init__.py", line 2024, in start
    self.tick()
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/__init__.py", line 2091, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/usr/share/sabnzbdplus/cherrypy/wsgiserver/ssl_builtin.py", line 67, in wrap
    server_side=True)
  File "/usr/lib/python2.7/ssl.py", line 353, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 601, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 830, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:590)

Sander

@sanderjo

This comment has been minimized.

Contributor

sanderjo commented Feb 14, 2017

FWIW: Tested with SABnzbd 1.1.1 and testssl.sh: server-side (=SABnzbd): 0 errors / messages.

(SABnzbd 1.2.0 gives the same error messages as SABnzbd 1.2.1Beta1)

BRB with the branch test.

FWIW: Statistics from sabnzbd.log after a few testssl.sh runs:

$ cat .sabnzbd/logs/sabnzbd.log | grep SSLError | sort | uniq -c
      4 SSLError: [SSL: CCS_RECEIVED_EARLY] ccs received early (_ssl.c:590)
      1 SSLError: [SSL: INAPPROPRIATE_FALLBACK] inappropriate fallback (_ssl.c:590)
    885 SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:590)
    110 SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:590)
@sanderjo

This comment has been minimized.

Contributor

sanderjo commented Feb 14, 2017

Tested "remotes/origin/bugfix/ssl_catch" against testssl.sh: no traceback no other errors in SABnzbd.

Well done @Safihre

So ... close this issue?

@Safihre Safihre closed this in 23b660d Feb 14, 2017

@sanderjo

This comment has been minimized.

Contributor

sanderjo commented Feb 21, 2017

With the current git version of origin/1.2.x, while testing SAB with testssl.sh, SABnzbd's stdout says several times:

2017-02-21 20:52:28,914::ERROR::[_cplogging:219] [21/Feb/2017:20:52:28] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/git/sab-19feb2017/cherrypy/wsgiserver/__init__.py", line 2024, in start
    self.tick()
  File "/home/sander/git/sab-19feb2017/cherrypy/wsgiserver/__init__.py", line 2091, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/home/sander/git/sab-19feb2017/cherrypy/wsgiserver/ssl_builtin.py", line 67, in wrap
    server_side=True)
  File "/usr/lib/python2.7/ssl.py", line 363, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 611, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 840, in do_handshake
    self._sslobj.do_handshake()
SSLError: [SSL] unknown error (_ssl.c:661)

"unknown error" ... ? I added that to cherrypy/wsgiserver/ssl_builtin.py:

                # Check if it's one of the known errors
                # Errors that are caught by PyOpenSSL, but thrown by built-in ssl
                _block_errors = ('unknown protocol', 'unknown ca', 'unknown_ca',
                                 'inappropriate fallback', 'wrong version number', 'unknown error',
                                 'no shared cipher', 'certificate unknown', 'ccs received early')

... and the SAB tracebacks are gone.

BUT ... is it OK to ignore 'unknown error'?

@Safihre

This comment has been minimized.

Member

Safihre commented Feb 21, 2017

Seems fine to me. Nothing we can do really if the connection can't be established.

@thezoggy

This comment has been minimized.

Contributor

thezoggy commented Feb 21, 2017

@sanderjo @Safihre http://recollection.saaj.me/article/cherrypy-questions-testing-ssl-and-docker.html

ssl_builtin doesn’t handle underlying ssl module exceptions correctly, as the log was flooded by exceptions originating mostly from do_handshake()

http://recollection.saaj.me/article/cherrypy-questions-testing-ssl-and-docker.html#problem

@thezoggy

This comment has been minimized.

Contributor

thezoggy commented Feb 21, 2017

where is testssl.py ?

webknjaz added a commit to cherrypy/cheroot that referenced this issue Jun 18, 2017

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jul 19, 2017

wiz
Updated py-cheroot to 5.7.0.
v5.7.0
======

- CI improvements:
  * Don't run tests during deploy stage
  * Use VM based build job env only for pyenv envs
  * Opt-in for beta trusty image @ Travis CI
  * Be verbose when running tests (show test names)
  * Show xfail/skip details during test run

- #34: Fix ``_handle_no_ssl`` error handler calls

- #21: Fix ``test_conn`` tests:
  * Improve setup_server def in HTTP connection tests
  * Fix HTTP streaming tests
  * Fix HTTP/1.1 pipelining test under Python 3
  * Fix ``test_readall_or_close`` test
  * Fix ``test_No_Message_Body``
  * Clarify ``test_598`` fail reason

- #36: Add GitHub templates for PR, issue && contributing

- #27: Default HTTP Server header to Cheroot version str

- Cleanup _compat functions from server module

v5.6.0
======

- Fix all PEP 257 related errors in all non-test modules.

  ``cheroot/test/*`` folder is only one left allowed to fail with this linter.

- #30: Optimize chunked body reader loop by returning empty data is the size is 0.

  Ref: cherrypy/cherrypy#1602

- Reset buffer if the body size is unknown

  Ref: cherrypy/cherrypy#1486

- Add missing size hint to SizeCheckWrapper

  Ref: cherrypy/cherrypy#1131

v5.5.2
======

- #32: Ignore "unknown error" and "https proxy request" SSL errors.

  Ref: sabnzbd/sabnzbd#820

  Ref: sabnzbd/sabnzbd#860

v5.5.1
======

- Make Appveyor list separate tests in corresponding tab.

- #29: Configure Travis CI build stages.

  Prioritize tests by stages.

  Move deploy stage to be run very last after all other stages finish.

- #31: Ignore "Protocol wrong type for socket" (EPROTOTYPE) @ OSX for non-blocking sockets.

  This was originally fixed for regular sockets in cherrypy/cherrypy#1392.

  Ref: https://forums.sabnzbd.org/viewtopic.php?f=2&t=22728&p=112251

v5.5.0
======

- #17 via #25: Instead of a read_headers function, cheroot now
  supplies a HeaderReader class to perform the same function.

  Any HTTPRequest object may override the header_reader attribute
  to customize the handling of incoming headers.

  The server module also presents a provisional implementation of
  a DropUnderscoreHeaderReader that will exclude any headers
  containing an underscore. It remains an exercise for the
  implementer to demonstrate how this functionality might be
  employed in a server such as CherryPy.

- #26: Configured TravisCI to run tests under OS X.

@DraZtiK DraZtiK referenced this issue Jul 20, 2017

Closed

SSL Certs path #98

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment