classification
Title: [httplib] httplib.BadStatusLine on any HTTPS connection in certain unknown cases.
Type: behavior Stage: test needed
Components: Windows Versions: Python 2.7
process
Status: pending Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: BreamoreBoy, Michal.Zimen, demian.brecht, jcea, jtr51, loewis
Priority: normal Keywords:

Created on 2012-06-16 01:52 by jtr51, last changed 2017-03-12 21:43 by martin.panter.

Files
File name Uploaded Description Edit
ssltest.py jtr51, 2012-06-16 01:52 Script + Traceback + Curl command
_ssl.zip jtr51, 2012-06-16 16:47
Messages (5)
msg162947 - (view) Author: George Stephanos (jtr51) Date: 2012-06-16 01:52
When trying to POST /anything/ @ https://grooveshark.com/, I get an httplib.BadStatusLine exception (server returns nothing at all. It's a timeout since it waits a while).

The many Grooveshark webclients however works perfectly, along with a curl command (run through cygwin, commented out in the script) that does the exact same. Meaning this weird behavior is exclusive to Python.

This issue was found to be present on many Windows systems. However, not all (all the systems have Python 2.7.2). I'm not sure what the difference is, and I'm not sure if this is a Python bug, but this is the only place I could think of to discuss the behavior. The only Linux system I've tested this on worked (again, Python 2.7.2).
Note: If it fails on one system, it never succeeds no matter how much you try.

The code *used* to work yesterday and it's been working for many months. Grooveshark might have changed something but this doesn't make any sense since curl works.

Please try to reproduce this. I can provide any testing details needed.
A script containing the code to test with is attached, along with the curl line and a BadStatusLine traceback.

Excuse my complete ignorance on the inner workings of SSL and my weak English skills (second language).
msg162955 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2012-06-16 06:38
I can reproduce this, and it seems to stem from the openssl version used (0.9.8l). Running openssl s_client -connect grooveshark.com:443 with 0.9.8l gives

CONNECTED(00000003)
depth=3 /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
22456:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
22456:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:697:
22456:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1448:

With 1.0.1c, it gives


CONNECTED(00000003)
depth=3 L = ValiCert Validation Network, O = "ValiCert, Inc.", OU = ValiCert Class 2 Policy Validation Authority, CN = http://www.valicert.com/, emailAddress = info@valicert.com
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=FL/L=Gainesville/O=Grooveshark/CN=*.grooveshark.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
 3 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com
---
Server certificate
...

i.e. the connection gets established.

The next bug fix release of Python 2.7 will include OpenSSL 0.9.8x, which is the latest OpenSSL 0.9.8 bug fix. It still shows the error in connecting, so I wonder whether this is a bug that just doesn't get fixed for 0.9.8, or whether it's a bug in the server (that 1.0.1 somehow avoids).
msg162978 - (view) Author: George Stephanos (jtr51) Date: 2012-06-16 16:47
I can confirm that. I built a 1.0.1c version of both _ssl.pyd and _ssl.lib  and now the problem's solved (they're attached if ever needed). Thanks!
Can't the next Python 2.7 release include 1.0.1c instead ?
msg165785 - (view) Author: Michal Zimen (Michal.Zimen) Date: 2012-07-18 15:45
I can confirm similar behaviour in RHEL 6.3 with python 2.6.6.
This exception with the same https request has random behaviour.
msg224262 - (view) Author: Mark Lawrence (BreamoreBoy) * Date: 2014-07-29 22:04
Can you please retest with Python 2.7.8 as this has an updated version of openssl.
History
Date User Action Args
2017-03-12 21:43:43martin.pantersetstatus: open -> pending
resolution: fixed
stage: test needed
2014-07-30 19:44:45demian.brechtsetnosy: + demian.brecht
2014-07-29 22:04:19BreamoreBoysetnosy: + BreamoreBoy
messages: + msg224262
2012-07-18 15:45:23Michal.Zimensetnosy: + Michal.Zimen
messages: + msg165785
2012-06-17 15:58:33jceasetnosy: + jcea
2012-06-16 16:47:19jtr51setfiles: + _ssl.zip

messages: + msg162978
2012-06-16 06:38:06loewissetnosy: + loewis
messages: + msg162955
2012-06-16 01:52:08jtr51create