Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Add check for ssl.CertificateError in netutil.py #704

Merged
merged 1 commit into from

3 participants

@chrislea

Rather annoyingly, in the python2.7.x that ships with the soon to be released Ubuntu Raring, they seem to have backported ssl.match_hostname from python3.2+, but they did not backport ssl.CertificateError. This causes a check in netutil.py to not do what it's expected to do. This is just a trivial add to make it work.

@bdarnell
Owner

Raring isn't released yet, so I'm comfortable calling this an ubuntu bug. ssl.match_hostname is documented as raising ssl.CertificateError; ubuntu is in error by introducing a function with the same name as a standard one but different behavior.

What does it raise instead of ssl.CertificateError? Where do ubuntu's backports live? (this isn't the first time ubuntu has hacked up the ssl module in nonstandard ways that break things)

@chrislea

Oh, I'd certainly wager this is a Debian and/or Ubuntu problem. But it's also likely that this will end up in the actual release, so without tweaking the tornado code, it won't work properly if you just drop the tornado directory on the PYTHONPATH and start working on Raring when it comes out.

I'm not sure what they did with the backport specifically. I just fired up an EC2 instance with the newest Raring beta, and manually checked for the attributes. ssl.match_hostname is there, but ssl.CertificateError isn't.

The source for python2.7 in Raring is here. It looks like they may have pulled the sources from Debian experimental here. Finally, here's a build log that failed on Raring when the tests couldn't run cleanly. It dies with "AttributeError: 'module' object has no attribute 'CertificateError'".

@chrislea

Very specifically, what I did to test was:

ubuntu@domU-12-31-39-02-EC-E5:~$ lsb_release -c
Codename:   raring
ubuntu@domU-12-31-39-02-EC-E5:~$ python
Python 2.7.4rc1 (default, Mar 30 2013, 15:38:53)
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> if hasattr(ssl, 'match_hostname'):
...     print "Yup, got match_hostname"
...
Yup, got match_hostname
>>> if hasattr(ssl, 'CertificateError'):
...     print "Yup, got CertificateError"
...
>>>

There's a ssl.match_hostname.diff in debian/patches for the python2.7 source package. It looks to be identical to what Tornado does if that hasattr check fails, but for some reason the attribute isn't there all the same.

@bdarnell
Owner

Can you link to the ubuntu bug report for this? Raring isn't released yet so we should at least give them the opportunity to fix it (or queue it up for a post-release patch) before we start working around their bugs. If they're using the same code it looks like their backport may just be broken, and raise a NameError whenever it tries to raise a CertificateError.

@bdarnell
Owner

Cool, thanks for filing that upstream. It looks like they've got a fix in the pipeline now, but since the betas are out there and I'm going to do a Tornado 3.0.1 I'll merge this patch too.

@bdarnell bdarnell merged commit d42ccf0 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 29, 2013
  1. @chrislea
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  tornado/netutil.py
View
2  tornado/netutil.py
@@ -321,7 +321,7 @@ def ssl_wrap_socket(socket, ssl_options, server_hostname=None, **kwargs):
else:
return ssl.wrap_socket(socket, **dict(context, **kwargs))
-if hasattr(ssl, 'match_hostname'): # python 3.2+
+if hasattr(ssl, 'match_hostname') and hasattr(ssl, 'CertificateError'): # python 3.2+
ssl_match_hostname = ssl.match_hostname
SSLCertificateError = ssl.CertificateError
else:
Something went wrong with that request. Please try again.