Skip to main content

Python: SSL Hell

I was having a hard time getting SSL to work with gevent on Python 2.6. It turns out I had two problems.

The first resulted in this error message:
SSLError: [Errno 336265218] _ssl.c:337: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
It turned out to be a permissions issue. I ran "cat" on the file, and it turned out that I didn't have access to it:
cat: /etc/mycompany/certs/httpd/mycompany-wildcard.key: Permission denied
I ran the command with sudo, and the problem went away.

The second error was related to using urllib2 under gevent:
URLError: <urlopen error [Errno 2] _ssl.c:490: The operation did not complete (read)>
<Greenlet at 0x2add8d0: start_publisher> failed with URLError
...
SSLError: [Errno 8] _ssl.c:490: EOF occurred in violation of protocol
<Greenlet at 0x2add958: <bound method WSGIServer.wrap_socket_and_handle of <WSGIServer at 0x2b48750 fileno=3 address=127.0.0.1:34848>>(<socket at 0x2b48a10 fileno=5 sock=127.0.0.1:34848, ('127.0.0.1', 37858))> failed with SSLError
This problem was because I was using gevent to monkeypatch the socket module, but I wasn't using it to monkeypatch the ssl module. Once I monkeypatched the ssl module, everything worked.

I had a heck of a time writing nosetests that would fire up a server using gevent and connect to it over SSL using urllib2. However, those nosetests proved very valuable in helping me figure out when and where SSL was breaking for me.

Here's what one of those nose tests looked like:
# Unfortunately, this monkey patching is not isolated to just this module.

from gevent import monkey
monkey.patch_all(thread=False)  # Nose uses threads.

import urllib2

import gevent

from myproj import server

TEST_INTERFACE = "127.0.0.1"
TEST_PORT = 34848
URL = "https://%s:%s" % (TEST_INTERFACE, TEST_PORT)


def test_server():

    test_successful_box = [False]

    def start_server():
        server.main(interface=TEST_INTERFACE, port=TEST_PORT)

    def start_publisher():
        response = urllib2.urlopen(URL)
        assert response.msg == "OK"
        test_successful_box[0] = True
        gevent.killall(greenlets)

    greenlets = [gevent.spawn(start_server), gevent.spawn(start_publisher)]
    gevent.joinall(greenlets)
    assert test_successful_box[0]
Labels:

Comments

Anonymous said…
interesting.

why is test_successful_box a list rather than just assigned to directly?

i.e. why not

test_successful_box = True

It's curious.. thanks
12:27 PM
Salvatore Scarpato said…
Did this work after? I am having the same issues!
2:56 PM
Denis said…
In the second case, any idea how we can improve gevent to make the error less cryptic?
11:57 PM
jjinux said…
> why is test_successful_box a list rather than just assigned to directly?

It has something to do with how closures work in Python. I'm on a version of Python that doesn't have the "nonlocal" keyword.
8:02 PM
jjinux said…
> Did this work after? I am having the same issues!

Yeah, I got it working.

> In the second case, any idea how we can improve gevent to make the error less cryptic?

I have no clue. I thought the whole point of OpenSSL was to be cryptic :-P
8:03 PM
Dog said…
Hi there,

I'm having one of the errors you mentioned: 'ssl.SSLError: [Errno 8] _ssl.c:504: EOF occurred in violation of protocol'

I'm not up to your level with command line stuff. Would you mind walking me through how I monkey patch the SSL module?

I think I monkey patched the socket module when I set up a new version of Python but that was the first time I'd touched and of this stuff and I'm not clear or it. Is monkey patching setting up a symbolic link? Pretty ure that's what I did.
6:00 AM
jjinux said…
Sorry it's taken me so long to respond. Monkey patching isn't something you do at the command line or with symlinks. It refers to doing something in your program that dynamically patches some code. See (http://jjinux.blogspot.dk/2012/03/pycon-python-metaprogramming-for-mad.html).
3:39 AM
François Pinard said…
Sharon, thanks a lot for sharing your solution (monkey patching SSL). Finding it saved me a lot of time :-).
8:41 AM
Shekhar said…
Thanks. You saved my day.
5:30 AM
jjinux said…
Thanks, Shekhar :) That makes my day :)
3:53 PM
Post a Comment

Popular posts from this blog

Drawing Sierpinski's Triangle in Minecraft Using Python

In his keynote at PyCon, Eben Upton, the Executive Director of the Rasberry Pi Foundation, mentioned that not only has Minecraft been ported to the Rasberry Pi, but you can even control it with Python. Since four of my kids are avid Minecraft fans, I figured this might be a good time to teach them to program using Python. So I started yesterday with the goal of programming something cool for Minecraft and then showing it off at the San Francisco Python Meetup in the evening.

The first problem that I faced was that I didn't have a Rasberry Pi. You can't hack Minecraft by just installing the Minecraft client. Speaking of which, I didn't have the Minecraft client installed either ;) My kids always play it on their Nexus 7s. I found an open source Minecraft server called Bukkit that "provides the means to extend the popular Minecraft multiplayer server." Then I found a plugin called RaspberryJuice that implements a subset of the Minecraft Pi modding API for Bukkit s…
4 comments
Read more

Apple: iPad and Emacs

Someone asked my boss's buddy Art Medlar if he was going to buy an iPad. He said, "I figure as soon as it runs Emacs, that will be the sign to buy." I think he was just trying to be funny, but his statement is actually fairly profound.

It's well known that submitting iPhone and iPad applications for sale on Apple's store is a huge pain--even if they're free and open source. Apple is acting as a gatekeeper for what is and isn't allowed on your device. I heard that Apple would never allow a scripting language to be installed on your iPad because it would allow end users to run code that they hadn't verified. (I don't have a reference for this, but if you do, please post it below.) Emacs is mostly written in Emacs Lisp. Per Apple's policy, I don't think it'll ever be possible to run Emacs on the iPad.

Emacs was written by Richard Stallman, and it practically defines the Free Software movement (in a manner of speaking at least). Stal…
17 comments
Read more

Creating Windows 10 Boot Media for a Lenovo Thinkpad T410 Using Only a Mac and a Linux Machine

TL;DR: Giovanni and I struggled trying to get Windows 10 installed on the Lenovo Thinkpad T410. We struggled a lot trying to create the installation media because we only had a Mac and a Linux machine to work with. Everytime we tried to boot the USB thumb drive, it just showed us a blinking cursor. At the end, we finally realized that Windows 10 wasn't supported on this laptop :-/I've heard that it took Thomas Edison 100 tries to figure out the right material to use as a lightbulb filament. Well, I'm no Thomas Edison, but I thought it might be noteworthy to document our attempts at getting it to boot off a USB thumb drive:Download the ISO. Attempt 1: Use Etcher. Etcher says it doesn't work for Windows. Attempt 2: Use Boot Camp Assistant. It doesn't have that feature anymore. Attempt 3: Use Disk Utility on a Mac. Erase a USB thumb drive: Format: ExFAT Scheme: GUID Partition Map Mount the ISO. Copy everything from the I…
2 comments
Read more