msg364074 - (view) |
Author: Dima Tisnek (Dima.Tisnek) * |
Date: 2020-03-13 04:07 |
Let's consider ssl error `291` (https://bugs.python.org/issue39951):
It was introduced into openssl 2 years ago: https://github.com/openssl/openssl/commit/358ffa05cd3a088822c7d06256bc87516d918798
The documentation states:
SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
application data after close notify
The `ssl.h` header file contains:
# define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291
The master branch of openssl contains this definition too:
https://github.com/openssl/openssl/blob/master/include/openssl/sslerr.h
# define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291
But what does Python say?
ssl.SSLError: [SSL: KRB5_S_INIT] application data after close notify (_ssl.c:2629)
What's KRB5? It supposedly stands for Kerberos5, and it too is seemingly present in openssl header file:
/usr/local/Cellar/openssl/1.0.2s/include/openssl/ssl.h
2951:# define SSL_R_KRB5_S_INIT 291
Moreover, cpython source code contains a fallback, should this value not be defined:
https://github.com/python/cpython/blob/master/Modules/_ssl_data.h
#ifdef SSL_R_KRB5_S_INIT
{"KRB5_S_INIT", ERR_LIB_SSL, SSL_R_KRB5_S_INIT},
#else
{"KRB5_S_INIT", ERR_LIB_SSL, 291},
#endif
Thus, today, Python reports an error with wrong *label* but correct *text*:
[SSL: KRB5_S_INIT] application data after close notify
The label and text don't match each other, because... well... I guess that's why we should fix it :)
|
msg366218 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2020-04-11 20:36 |
New changeset 3e0dd3730b5eff7e9ae6fb921aa77cd26efc9e3a by Benjamin Peterson in branch 'master':
closes bpo-39953: Update OpenSSL error codes table. (GH-19082)
https://github.com/python/cpython/commit/3e0dd3730b5eff7e9ae6fb921aa77cd26efc9e3a
|
msg366219 - (view) |
Author: miss-islington (miss-islington) |
Date: 2020-04-11 20:53 |
New changeset 2714c907df7cfe97911df6ce90364001270d9a43 by Miss Islington (bot) in branch '3.8':
closes bpo-39953: Update OpenSSL error codes table. (GH-19082)
https://github.com/python/cpython/commit/2714c907df7cfe97911df6ce90364001270d9a43
|
msg366229 - (view) |
Author: Hai Shi (shihai1991) * |
Date: 2020-04-12 08:43 |
Got some compiling error of _ssl extension module in my vm after PR19082 merged:
building '_ssl' extension
gcc -pthread -Wno-unused-result -Wsign-compare -g -Og -Wall -fPIC -I./Include -I. -I/usr/local/include -I/temp/shihai/cpython/Include -I/temp/shihai/cpython -c /temp/shihai/cpython/Modules/_ssl.c -o build/temp.linux-x86_64-3.9-pydebug/temp/shihai/cpython/Modules/_ssl.o
In file included from /temp/shihai/cpython/Modules/_ssl.c:136:
/temp/shihai/cpython/Modules/_ssl_data.h:6:15: error: ‘ERR_LIB_ASYNC’ undeclared here (not in a function); did you mean ‘ERR_LIB_ASN1’?
6 | {"ASYNC", ERR_LIB_ASYNC},
| ^~~~~~~~~~~~~
| ERR_LIB_ASN1
/temp/shihai/cpython/Modules/_ssl_data.h:13:12: error: ‘ERR_LIB_CT’ undeclared here (not in a function); did you mean ‘ERR_LIB_CMS’?
13 | {"CT", ERR_LIB_CT},
| ^~~~~~~~~~
| ERR_LIB_CMS
/temp/shihai/cpython/Modules/_ssl_data.h:19:13: error: ‘ERR_LIB_KDF’ undeclared here (not in a function); did you mean ‘ERR_LIB_BUF’?
19 | {"KDF", ERR_LIB_KDF},
| ^~~~~~~~~~~
| ERR_LIB_BUF
In file included from /temp/shihai/cpython/Modules/_ssl.c:136:
/temp/shihai/cpython/Modules/_ssl_data.h:598:28: warning: initialization of ‘int’ from ‘struct py_ssl_library_code *’ makes integer from pointer without a cast [-Wint-conversion]
598 | {"FAILED_TO_SET_POOL", ERR_LIB_ASYNC, 101},
| ^~~~~~~~~~~~~
/temp/shihai/cpython/Modules/_ssl_data.h:598:28: note: (near initialization for ‘error_codes[112].library’)
/temp/shihai/cpython/Modules/_ssl_data.h:598:28: error: initializer element is not constant
/temp/shihai/cpython/Modules/_ssl_data.h:598:28: note: (near initialization for ‘error_codes[112].library’)
/temp/shihai/cpython/Modules/_ssl_data.h:603:32: warning: initialization of ‘int’ from ‘struct py_ssl_library_code *’ makes integer from pointer without a cast [-Wint-conversion]
603 | {"FAILED_TO_SWAP_CONTEXT", ERR_LIB_ASYNC, 102},
|
msg366234 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2020-04-12 11:22 |
The PR broke backwards compatibility with OpenSSL 1.0.2 and LibreSSL. OpenSSL 1.1.x introduced new error codes or reused existing numbers for different errors codes.
Although OpenSSL 1.0.2 has reached EOL we should keep keep Python 3.8 and 3.9 compatible with the API.
|
msg366261 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2020-04-12 18:37 |
Sorry, I thought I had tested with multissl.
On Sun, Apr 12, 2020, at 06:22, Christian Heimes wrote:
>
> Christian Heimes <lists@cheimes.de> added the comment:
>
> The PR broke backwards compatibility with OpenSSL 1.0.2 and LibreSSL.
> OpenSSL 1.1.x introduced new error codes or reused existing numbers for
> different errors codes.
>
> Although OpenSSL 1.0.2 has reached EOL we should keep keep Python 3.8
> and 3.9 compatible with the API.
>
> ----------
> nosy: +lukasz.langa
> priority: normal -> release blocker
> resolution: fixed ->
> status: closed -> open
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue39953>
> _______________________________________
>
|
msg366262 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2020-04-12 18:59 |
New changeset 909b87d2bb3d6330d39c48e43f7f50f4d086cc41 by Benjamin Peterson in branch 'master':
closes bpo-39953: Generate ifdefs around library code definitions. (GH-19490)
https://github.com/python/cpython/commit/909b87d2bb3d6330d39c48e43f7f50f4d086cc41
|
msg366263 - (view) |
Author: miss-islington (miss-islington) |
Date: 2020-04-12 19:17 |
New changeset f35e7d3bb0488a15cbb45ff10f02be558a3777cd by Miss Islington (bot) in branch '3.8':
closes bpo-39953: Generate ifdefs around library code definitions. (GH-19490)
https://github.com/python/cpython/commit/f35e7d3bb0488a15cbb45ff10f02be558a3777cd
|
msg366318 - (view) |
Author: Anthony Sottile (Anthony Sottile) * |
Date: 2020-04-13 16:57 |
this is still broken even with the latest patch: https://bugs.python.org/issue40266
|
msg366346 - (view) |
Author: Christian Heimes (christian.heimes) * |
Date: 2020-04-13 22:54 |
Could you please give me a chance to review PRs for the SSL module?
Python is still failing to compile with OpenSSL 1.0.2 and LibreSSL. The new table contains also wrong values for LibreSSL and OpenSSL 1.0.2.
|
msg366358 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2020-04-14 02:51 |
On Mon, Apr 13, 2020, at 17:54, Christian Heimes wrote:
>
> Christian Heimes <lists@cheimes.de> added the comment:
>
> Could you please give me a chance to review PRs for the SSL module?
The original PR was open for 23 days before I merged it. I happy to here feedback at any point during the lifetime of a change, though.
|
msg366359 - (view) |
Author: Benjamin Peterson (benjamin.peterson) * |
Date: 2020-04-14 03:11 |
New changeset 584a3cfda4d7a65ea0c1ea1ee541378bb7be46ca by Benjamin Peterson in branch 'master':
closes bpo-40266, closes bpo-39953: Use numeric lib code if compiling against old OpenSSL. (GH-19506)
https://github.com/python/cpython/commit/584a3cfda4d7a65ea0c1ea1ee541378bb7be46ca
|
msg366361 - (view) |
Author: miss-islington (miss-islington) |
Date: 2020-04-14 03:31 |
New changeset c496e29c2bd0c29327c93174d5a40d2dc5a09402 by Miss Islington (bot) in branch '3.8':
closes bpo-40266, closes bpo-39953: Use numeric lib code if compiling against old OpenSSL. (GH-19506)
https://github.com/python/cpython/commit/c496e29c2bd0c29327c93174d5a40d2dc5a09402
|
msg366511 - (view) |
Author: Michael Felt (Michael.Felt) * |
Date: 2020-04-15 13:17 |
Do I need to open a new issue?
This breaks building _ssl on AIX.
building '_ssl' extension
xlc_r -O -I./Include/internal -I/opt/aixtools/include -I./Include -I. -I/home/aixtools/python/cpython-master/Include -I/home/aixtools/python/cpython-master -c /home/aixtools/python/cpython-master/Modules/_ssl.c -o build/temp.aix-7200-1543-32-3.9-pydebug/home/aixtools/python/cpython-master/Modules/_ssl.o
"/home/aixtools/python/cpython-master/Modules/_ssl_data.h", line 650.28: 1506-045 (S) Undeclared identifier ERR_LIB_ASYNC.
"/home/aixtools/python/cpython-master/Modules/_ssl_data.h", line 1510.29: 1506-045 (S) Undeclared identifier ERR_LIB_CT.
"/home/aixtools/python/cpython-master/Modules/_ssl_data.h", line 2650.24: 1506-045 (S) Undeclared identifier ERR_LIB_KDF.
"/home/aixtools/python/cpython-master/Modules/_ssl.c", line 579.17: 1506-196 (W) Initialization between types "void*" and "struct _object*(*)(struct {...}*)" is not allowed.
commit 909b87d2bb3d6330d39c48e43f7f50f4d086cc41
Author: Benjamin Peterson <benjamin@python.org>
Date: Sun Apr 12 13:59:31 2020 -0500
closes bpo-39953: Generate ifdefs around library code definitions. (GH-19490)
commit 3e0dd3730b5eff7e9ae6fb921aa77cd26efc9e3a
Author: Benjamin Peterson <benjamin@python.org>
Date: Sat Apr 11 15:36:12 2020 -0500
closes bpo-39953: Update OpenSSL error codes table. (GH-19082)
I updated the error codes using the OpenSSL 1.1.1f source tree.
commit 173ad83b074b3bf0c9e86eb8bd101c2841f74297
Author: Antoine Pitrou <solipsis@pitrou.net>
Date: Sun Jan 18 17:39:32 2015 +0100
Issue #23248: Update ssl error codes from latest OpenSSL git master.
commit f7338f65fb8bdb85c52dc54d06d003a82a06bbb3
Author: Antoine Pitrou <solipsis@pitrou.net>
Date: Fri Jun 22 21:12:59 2012 +0200
Add forgotten files for #14837.
$
|
msg366513 - (view) |
Author: Michael Felt (Michael.Felt) * |
Date: 2020-04-15 13:23 |
Also checking with gcc: get the following messages:
Failed to build these modules:
_ssl
Could not build the ssl module!
Python requires an OpenSSL 1.0.2 or 1.1 compatible libssl with X509_VERIFY_PARAM_set1_host().
LibreSSL 2.6.4 and earlier do not provide the necessary APIs, https://github.com/libressl-portable/portable/issues/381
messages:
building '_ssl' extension
gcc -pthread -Wno-unused-result -Wsign-compare -g -Og -Wall -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -I./Include/internal -I/opt/aixtools/include -I./Include -I. -I/home/aixtools/python/cpython-master/Include -I/home/aixtools/python/cpython-master -c /home/aixtools/python/cpython-master/Modules/_ssl.c -o build/temp.aix-7200-1543-32-3.9-pydebug/home/aixtools/python/cpython-master/Modules/_ssl.o
In file included from /home/aixtools/python/cpython-master/Modules/_ssl.c:136:0:
/home/aixtools/python/cpython-master/Modules/_ssl_data.h:650:28: error: 'ERR_LIB_ASYNC' undeclared here (not in a function); did you mean 'ERR_LIB_ASN1'?
{"FAILED_TO_SET_POOL", ERR_LIB_ASYNC, 101},
^~~~~~~~~~~~~
ERR_LIB_ASN1
/home/aixtools/python/cpython-master/Modules/_ssl_data.h:1510:29: error: 'ERR_LIB_CT' undeclared here (not in a function); did you mean 'ERR_LIB_CMS'?
{"BASE64_DECODE_ERROR", ERR_LIB_CT, 108},
^~~~~~~~~~
ERR_LIB_CMS
/home/aixtools/python/cpython-master/Modules/_ssl_data.h:2650:24: error: 'ERR_LIB_KDF' undeclared here (not in a function); did you mean 'ERR_LIB_BUF'?
{"INVALID_DIGEST", ERR_LIB_KDF, 100},
^~~~~~~~~~~
ERR_LIB_BUF
|
msg366515 - (view) |
Author: Michael Felt (Michael.Felt) * |
Date: 2020-04-15 13:46 |
And when I use a standard OpenSSL library (on AIX):
building '_ssl' extension
gcc -pthread -Wno-unused-result -Wsign-compare -g -Og -Wall -std=c99 -Wextra -Wno-unused-result -Wno-unused-parameter -Wno-missing-field-initializers -Werror=implicit-function-declaration -fvisibility=hidden -I./Include/internal -I/opt/freeware/include -I./Include -I. -I/home/aixtools/python/cpython-master/Include -I/home/aixtools/python/cpython-master -c /home/aixtools/python/cpython-master/Modules/_ssl.c -o build/temp.aix-7200-1543-32-3.9-pydebug/home/aixtools/python/cpython-master/Modules/_ssl.o
Modules/ld_so_aix gcc -pthread -bI:Modules/python.exp build/temp.aix-7200-1543-32-3.9-pydebug/home/aixtools/python/cpython-master/Modules/_ssl.o -L/opt/freeware/lib -lssl -lcrypto -o build/lib.aix-7200-1543-32-3.9-pydebug/_ssl.so
ld: 0711-317 ERROR: Undefined symbol: .SSL_SESSION_get_ticket_lifetime_hint
ld: 0711-317 ERROR: Undefined symbol: .SSL_SESSION_has_ticket
ld: 0711-317 ERROR: Undefined symbol: .SSL_session_reused
ld: 0711-317 ERROR: Undefined symbol: .COMP_get_type
ld: 0711-317 ERROR: Undefined symbol: .SSL_is_init_finished
ld: 0711-317 ERROR: Undefined symbol: .SSL_CTX_get_options
ld: 0711-317 ERROR: Undefined symbol: .SSL_CTX_clear_options
ld: 0711-317 ERROR: Undefined symbol: .SSL_CTX_set_options
ld: 0711-317 ERROR: Undefined symbol: .SSL_CIPHER_is_aead
ld: 0711-317 ERROR: Undefined symbol: .SSL_CIPHER_get_cipher_nid
ld: 0711-317 ERROR: Undefined symbol: .SSL_CIPHER_get_digest_nid
ld: 0711-317 ERROR: Undefined symbol: .SSL_CIPHER_get_kx_nid
ld: 0711-317 ERROR: Undefined symbol: .SSL_CIPHER_get_auth_nid
ld: 0711-317 ERROR: Undefined symbol: .X509_STORE_get0_objects
ld: 0711-317 ERROR: Undefined symbol: .X509_OBJECT_get0_X509
ld: 0711-317 ERROR: Undefined symbol: .OPENSSL_sk_num
ld: 0711-317 ERROR: Undefined symbol: .OPENSSL_sk_value
ld: 0711-317 ERROR: Undefined symbol: .X509_OBJECT_get_type
ld: 0711-317 ERROR: Undefined symbol: .X509_NAME_ENTRY_set
ld: 0711-317 ERROR: Undefined symbol: .SSL_CTX_get_default_passwd_cb
ld: 0711-317 ERROR: Undefined symbol: .SSL_CTX_get_default_passwd_cb_userdata
ld: 0711-317 ERROR: Undefined symbol: .OpenSSL_version_num
ld: 0711-317 ERROR: Undefined symbol: .TLS_method
ld: 0711-317 ERROR: Undefined symbol: .TLS_client_method
ld: 0711-317 ERROR: Undefined symbol: .TLS_server_method
ld: 0711-317 ERROR: Undefined symbol: .BIO_up_ref
ld: 0711-317 ERROR: Undefined symbol: .OPENSSL_sk_pop_free
ld: 0711-317 ERROR: Undefined symbol: .X509_get_version
ld: 0711-317 ERROR: Undefined symbol: .X509_getm_notBefore
ld: 0711-317 ERROR: Undefined symbol: .X509_getm_notAfter
ld: 0711-317 ERROR: Undefined symbol: .OpenSSL_version
ld: 0711-345 Use the -bloadmap or -bnoquiet option to obtain more information.
$ lslpp -L | grep openssl
aixtools.openssl.rte 1.0.2.16 C F aixtools openssl 27-Aug-2018
openssl.base 1.0.1.515 CE F Open Secure Socket Layer
openssl.man.en_US 1.0.1.515 C F Open Secure Socket Layer
openssl 1.1.0g-1withsslv2 C R Secure Sockets Layer and
openssl-devel 1.1.0g-1withsslv2 C R Secure Sockets Layer and
+++ FYI +++
IBM AIX used some strange version numbers: 1.0.1.515 is actually an OpenSSL 1.0.2 ABI version.
The "aixtools" fileset is 1.0.2p (p == 16th character of alphabet).
In any case - the test for X509_VERIFY_PARAM_set1_host() has been passing.
|
msg366527 - (view) |
Author: SilentGhost (SilentGhost) * |
Date: 2020-04-15 15:53 |
Michael, could you try with the latest fix in 584a3cfda4?
|
msg366553 - (view) |
Author: Michael Felt (Michael.Felt) * |
Date: 2020-04-15 20:36 |
I did update, and saw that there was one more patch applied.
I think that fixed the define issues, but there may be a new concern. Ran out of time to document it today.
Will post tomorrow.
Sent from my iPhone
> On 15 Apr 2020, at 17:53, SilentGhost <report@bugs.python.org> wrote:
>
>
> SilentGhost <ghost.adh@runbox.com> added the comment:
>
> Michael, could you try with the latest fix in 584a3cfda4?
>
> ----------
> nosy: +SilentGhost
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue39953>
> _______________________________________
>
|
msg366596 - (view) |
Author: Michael Felt (Michael.Felt) * |
Date: 2020-04-16 13:35 |
Checked with latest version - and working as expected. Sorry for the noise.
On 15/04/2020 17:53, SilentGhost wrote:
> SilentGhost <ghost.adh@runbox.com> added the comment:
>
> Michael, could you try with the latest fix in 584a3cfda4?
>
> ----------
> nosy: +SilentGhost
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <https://bugs.python.org/issue39953>
> _______________________________________
>
|
|
Date |
User |
Action |
Args |
2022-04-11 14:59:28 | admin | set | github: 84134 |
2020-04-16 13:35:40 | Michael.Felt | set | messages:
+ msg366596 |
2020-04-15 20:36:10 | Michael.Felt | set | messages:
+ msg366553 |
2020-04-15 15:53:32 | SilentGhost | set | nosy:
+ SilentGhost messages:
+ msg366527
|
2020-04-15 13:46:44 | Michael.Felt | set | messages:
+ msg366515 |
2020-04-15 13:23:00 | Michael.Felt | set | messages:
+ msg366513 |
2020-04-15 13:17:50 | Michael.Felt | set | nosy:
+ Michael.Felt messages:
+ msg366511
|
2020-04-14 03:31:25 | miss-islington | set | messages:
+ msg366361 |
2020-04-14 03:12:08 | miss-islington | set | pull_requests:
+ pull_request18859 |
2020-04-14 03:11:51 | benjamin.peterson | set | status: open -> closed resolution: fixed messages:
+ msg366359
stage: patch review -> resolved |
2020-04-14 02:51:58 | benjamin.peterson | set | messages:
+ msg366358 |
2020-04-13 22:54:07 | christian.heimes | set | status: closed -> open type: compile error messages:
+ msg366346
resolution: fixed -> (no value) stage: resolved -> patch review |
2020-04-13 16:57:56 | Anthony Sottile | set | nosy:
+ Anthony Sottile messages:
+ msg366318
|
2020-04-13 06:13:30 | SilentGhost | link | issue40266 superseder |
2020-04-12 19:17:38 | miss-islington | set | messages:
+ msg366263 |
2020-04-12 18:59:47 | miss-islington | set | pull_requests:
+ pull_request18843 |
2020-04-12 18:59:34 | benjamin.peterson | set | status: open -> closed resolution: fixed messages:
+ msg366262
stage: patch review -> resolved |
2020-04-12 18:40:02 | benjamin.peterson | set | stage: resolved -> patch review pull_requests:
+ pull_request18842 |
2020-04-12 18:37:39 | benjamin.peterson | set | messages:
+ msg366261 |
2020-04-12 11:22:13 | christian.heimes | set | status: closed -> open priority: normal -> release blocker
nosy:
+ lukasz.langa messages:
+ msg366234
resolution: fixed -> (no value) |
2020-04-12 08:43:10 | shihai1991 | set | nosy:
+ shihai1991 messages:
+ msg366229
|
2020-04-11 20:53:06 | miss-islington | set | messages:
+ msg366219 |
2020-04-11 20:36:27 | miss-islington | set | nosy:
+ miss-islington
pull_requests:
+ pull_request18832 |
2020-04-11 20:36:18 | benjamin.peterson | set | status: open -> closed resolution: fixed messages:
+ msg366218
stage: patch review -> resolved |
2020-03-19 23:37:48 | benjamin.peterson | set | keywords:
+ patch nosy:
+ benjamin.peterson
pull_requests:
+ pull_request18441 stage: patch review |
2020-03-13 11:43:19 | eamanu | set | nosy:
+ eamanu
|
2020-03-13 09:02:52 | serhiy.storchaka | set | nosy:
+ janssen, christian.heimes, alex, dstufft
|
2020-03-13 04:07:50 | Dima.Tisnek | create | |