-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Differences between standard SSL and Pyopenssl (ZeroReturnError, SysCallError) #367
Comments
Sounds sensible to me. @t-8ch, any thoughts? |
According to the pyOpenSSL docs For the Tbh I really dislike the the monkeypatching. Maybe we could add a |
@t-8ch Wouldn't that just be the same as providing a different implementation of HTTPSConnectionPool (or ConnectionCls within it)? I'm not a big fan of the monkeypatching either but I recall that it made the most sense at the time for some reason. |
The engine would only have to provide try:
ssl_engine = .packages.urllib3.contrib.pyopenssl.SSLEngine()
except ImportError:
ssl_engine = .packages.urllib3.ssl_engine.SSLEngine() |
Mmm I see what you mean. What about just passing around the An |
The SSLEngine = namedtuple('SSLEngine', ['wrap_socket', 'BaseSSLError']) It wouldn't really matter, but I think it clearer for the users when they use a proper object instead of a single function. |
I feel the contrary, that it's confusing to have a proper object which has no actual behaviour except containing a callable. It may as well just be the callable. The whole notion of an As for the exception, I feel that letting various implementations of What do you think, @Lukasa? |
Aha, you might find this relevant: a contributor to I think that doing the No strong objection though, it's an acceptable solution to the current problem. =) |
@Lukasa That's interesting indeed! @alekstorm Any chance you'd be interested in making that a standalone package that we can vendor into urllib3? Also wonder if there's any way we could further abstract the compatibility issues with Py2. |
@alekstorm Having the ssl compatibility interface be standalone would be a really excellent idea, actually. If you feel like doing it I'll happily write up some docs for it, including how to get the best-possible SSL support for a given platform (really difficult to do right on OS X). |
Sure, it would be my pleasure. I've gone ahead and registered the package as @Lukasa docs would be much appreciated; I've currently only got a minimal @shazow The whole requests/urllib3 family seems to be doing a lot of vendoring, and I'm curious what the advantages are (besides avoiding the general mess that is Python package distribution), just for my own edification. |
@alekstorm urllib3 generally only vendors Python 3 backports for compatibility purposes, you'll have to ask @kennethreitz for his reasons to vendor urllib3 and other libraries. Generally, non-vendored dependencies for libraries that are core to many other libraries exhibit a bunch of problems such as version conflicting, the inability for themselves to be vendored, etc. |
Got it, thanks. The urllib3 test suite now passes with @shazow, what are your conditions for pulling the trigger on vendoring it into urllib3? Should it pass the Python stdlib test suite (hard, but doable), or will you be satisfied with something else? Sorry to clog this issue with more noise; would you like me to open a separate one? |
@alekstorm Let's start with a PR which we can move the conversation to. I'm actually not familiar with the Python stdlib test suite--if it has stuff you think it should be passing, then yes please. If it's passing the urllib3 test suite, then I'm fairly happy with that too. |
Any progress on this? |
@lukas-gitl Since it's been 3 years since this was originally reported it may be useful to open up a new issue and then link to this issue if you're experiencing this. :) |
pyOpenSSL is deprecated and will be removed in future release version 2.x (#2691). |
We use urllib3 via requests with pyopenssl so we can have SNI support in python 2.7.3.
Since we switched, we've noticed more errors from requests. Specifically:
It seems like these should all be caught somehow in contrib/pyopenssl.py so at the requests level, we don't have to worry about pyopenssl being different than the standard ssl module.
Here's a few of the ideas I'm considering:
fileobject.read
, everywhere we are catchingWantReadError
also catchZeroReturnError
and make sure that data is an empty string and continuinginject_into_urllib3
, settingconnection.BaseSSLError = OpenSSL.SSL.Error
Based on my limited understanding of pyopenssl (and python's standard _ssl.c) I'm probably missing something in trying to unify these interfaces. If somebody with more familiarity with this stuff can point me in the right direction I can try to formalize this stuff into a pull request.
Here's a gist of how I started investigating the
ZeroReturnError
specifically: https://gist.github.com/mthurman/9963741The text was updated successfully, but these errors were encountered: