Skip to main content

Python: SSL Hell

I was having a hard time getting SSL to work with gevent on Python 2.6. It turns out I had two problems.

The first resulted in this error message:
SSLError: [Errno 336265218] _ssl.c:337: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
It turned out to be a permissions issue. I ran "cat" on the file, and it turned out that I didn't have access to it:
cat: /etc/mycompany/certs/httpd/mycompany-wildcard.key: Permission denied
I ran the command with sudo, and the problem went away.

The second error was related to using urllib2 under gevent:
URLError: <urlopen error [Errno 2] _ssl.c:490: The operation did not complete (read)>
<Greenlet at 0x2add8d0: start_publisher> failed with URLError
...
SSLError: [Errno 8] _ssl.c:490: EOF occurred in violation of protocol
<Greenlet at 0x2add958: <bound method WSGIServer.wrap_socket_and_handle of <WSGIServer at 0x2b48750 fileno=3 address=127.0.0.1:34848>>(<socket at 0x2b48a10 fileno=5 sock=127.0.0.1:34848, ('127.0.0.1', 37858))> failed with SSLError
This problem was because I was using gevent to monkeypatch the socket module, but I wasn't using it to monkeypatch the ssl module. Once I monkeypatched the ssl module, everything worked.

I had a heck of a time writing nosetests that would fire up a server using gevent and connect to it over SSL using urllib2. However, those nosetests proved very valuable in helping me figure out when and where SSL was breaking for me.

Here's what one of those nose tests looked like:
# Unfortunately, this monkey patching is not isolated to just this module.

from gevent import monkey
monkey.patch_all(thread=False)  # Nose uses threads.

import urllib2

import gevent

from myproj import server

TEST_INTERFACE = "127.0.0.1"
TEST_PORT = 34848
URL = "https://%s:%s" % (TEST_INTERFACE, TEST_PORT)


def test_server():

    test_successful_box = [False]

    def start_server():
        server.main(interface=TEST_INTERFACE, port=TEST_PORT)

    def start_publisher():
        response = urllib2.urlopen(URL)
        assert response.msg == "OK"
        test_successful_box[0] = True
        gevent.killall(greenlets)

    greenlets = [gevent.spawn(start_server), gevent.spawn(start_publisher)]
    gevent.joinall(greenlets)
    assert test_successful_box[0]
Labels:

Comments

Anonymous said…
interesting.

why is test_successful_box a list rather than just assigned to directly?

i.e. why not

test_successful_box = True

It's curious.. thanks
12:27 PM
Salvatore Scarpato said…
Did this work after? I am having the same issues!
2:56 PM
Denis said…
In the second case, any idea how we can improve gevent to make the error less cryptic?
11:57 PM
jjinux said…
> why is test_successful_box a list rather than just assigned to directly?

It has something to do with how closures work in Python. I'm on a version of Python that doesn't have the "nonlocal" keyword.
8:02 PM
jjinux said…
> Did this work after? I am having the same issues!

Yeah, I got it working.

> In the second case, any idea how we can improve gevent to make the error less cryptic?

I have no clue. I thought the whole point of OpenSSL was to be cryptic :-P
8:03 PM
Dog said…
Hi there,

I'm having one of the errors you mentioned: 'ssl.SSLError: [Errno 8] _ssl.c:504: EOF occurred in violation of protocol'

I'm not up to your level with command line stuff. Would you mind walking me through how I monkey patch the SSL module?

I think I monkey patched the socket module when I set up a new version of Python but that was the first time I'd touched and of this stuff and I'm not clear or it. Is monkey patching setting up a symbolic link? Pretty ure that's what I did.
6:00 AM
jjinux said…
Sorry it's taken me so long to respond. Monkey patching isn't something you do at the command line or with symlinks. It refers to doing something in your program that dynamically patches some code. See (http://jjinux.blogspot.dk/2012/03/pycon-python-metaprogramming-for-mad.html).
3:39 AM
François Pinard said…
Sharon, thanks a lot for sharing your solution (monkey patching SSL). Finding it saved me a lot of time :-).
8:41 AM
Shekhar said…
Thanks. You saved my day.
5:30 AM
jjinux said…
Thanks, Shekhar :) That makes my day :)
3:53 PM
Post a Comment

Popular posts from this blog

Ubuntu 20.04 on a 2015 15" MacBook Pro

I decided to give Ubuntu 20.04 a try on my 2015 15" MacBook Pro. I didn't actually install it; I just live booted from a USB thumb drive which was enough to try out everything I wanted. In summary, it's not perfect, and issues with my camera would prevent me from switching, but given the right hardware, I think it's a really viable option. The first thing I wanted to try was what would happen if I plugged in a non-HiDPI screen given that my laptop has a HiDPI screen. Without sub-pixel scaling, whatever scale rate I picked for one screen would apply to the other. However, once I turned on sub-pixel scaling, I was able to pick different scale rates for the internal and external displays. That looked ok. I tried plugging in and unplugging multiple times, and it didn't crash. I doubt it'd work with my Thunderbolt display at work, but it worked fine for my HDMI displays at home. I even plugged it into my TV, and it stuck to the 100% scaling I picked for the othe
1 comment
Read more

ERNOS: Erlang Networked Operating System

I've been reading Dreaming in Code lately, and I really like it. If you're not a dreamer, you may safely skip the rest of this post ;) In Chapter 10, "Engineers and Artists", Alan Kay, John Backus, and Jaron Lanier really got me thinking. I've also been thinking a lot about Minix 3 , Erlang , and the original Lisp machine . The ideas are beginning to synthesize into something cohesive--more than just the sum of their parts. Now, I'm sure that many of these ideas have already been envisioned within Tunes.org , LLVM , Microsoft's Singularity project, or in some other place that I haven't managed to discover or fully read, but I'm going to blog them anyway. Rather than wax philosophical, let me just dump out some ideas: Start with Minix 3. It's a new microkernel, and it's meant for real use, unlike the original Minix. "This new OS is extremely small, with the part that runs in kernel mode under 4000 lines of executable code.&quo
50 comments
Read more

Haskell or Erlang?

I've coded in both Erlang and Haskell. Erlang is practical, efficient, and useful. It's got a wonderful niche in the distributed world, and it has some real success stories such as CouchDB and jabber.org. Haskell is elegant and beautiful. It's been successful in various programming language competitions. I have some experience in both, but I'm thinking it's time to really commit to learning one of them on a professional level. They both have good books out now, and it's probably time I read one of those books cover to cover. My question is which? Back in 2000, Perl had established a real niche for systems administration, CGI, and text processing. The syntax wasn't exactly beautiful (unless you're into that sort of thing), but it was popular and mature. Python hadn't really become popular, nor did it really have a strong niche (at least as far as I could see). I went with Python because of its elegance, but since then, I've coded both p
66 comments
Read more