Tuesday, January 25, 2011

Python: SSL Hell

I was having a hard time getting SSL to work with gevent on Python 2.6. It turns out I had two problems.

The first resulted in this error message:
SSLError: [Errno 336265218] _ssl.c:337: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
It turned out to be a permissions issue. I ran "cat" on the file, and it turned out that I didn't have access to it:
cat: /etc/mycompany/certs/httpd/mycompany-wildcard.key: Permission denied
I ran the command with sudo, and the problem went away.

The second error was related to using urllib2 under gevent:
URLError: <urlopen error [Errno 2] _ssl.c:490: The operation did not complete (read)>
<Greenlet at 0x2add8d0: start_publisher> failed with URLError
...
SSLError: [Errno 8] _ssl.c:490: EOF occurred in violation of protocol
<Greenlet at 0x2add958: <bound method WSGIServer.wrap_socket_and_handle of <WSGIServer at 0x2b48750 fileno=3 address=127.0.0.1:34848>>(<socket at 0x2b48a10 fileno=5 sock=127.0.0.1:34848, ('127.0.0.1', 37858))> failed with SSLError
This problem was because I was using gevent to monkeypatch the socket module, but I wasn't using it to monkeypatch the ssl module. Once I monkeypatched the ssl module, everything worked.

I had a heck of a time writing nosetests that would fire up a server using gevent and connect to it over SSL using urllib2. However, those nosetests proved very valuable in helping me figure out when and where SSL was breaking for me.

Here's what one of those nose tests looked like:
# Unfortunately, this monkey patching is not isolated to just this module.

from gevent import monkey
monkey.patch_all(thread=False) # Nose uses threads.

import urllib2

import gevent

from myproj import server

TEST_INTERFACE = "127.0.0.1"
TEST_PORT = 34848
URL = "https://%s:%s" % (TEST_INTERFACE, TEST_PORT)


def test_server():

test_successful_box = [False]

def start_server():
server.main(interface=TEST_INTERFACE, port=TEST_PORT)

def start_publisher():
response = urllib2.urlopen(URL)
assert response.msg == "OK"
test_successful_box[0] = True
gevent.killall(greenlets)

greenlets = [gevent.spawn(start_server), gevent.spawn(start_publisher)]
gevent.joinall(greenlets)
assert test_successful_box[0]

10 comments:

Anonymous said...

interesting.

why is test_successful_box a list rather than just assigned to directly?

i.e. why not

test_successful_box = True

It's curious.. thanks

Salvatore Scarpato said...

Did this work after? I am having the same issues!

Denis said...

In the second case, any idea how we can improve gevent to make the error less cryptic?

Shannon -jj Behrens said...

> why is test_successful_box a list rather than just assigned to directly?

It has something to do with how closures work in Python. I'm on a version of Python that doesn't have the "nonlocal" keyword.

Shannon -jj Behrens said...

> Did this work after? I am having the same issues!

Yeah, I got it working.

> In the second case, any idea how we can improve gevent to make the error less cryptic?

I have no clue. I thought the whole point of OpenSSL was to be cryptic :-P

Laurence Lord said...

Hi there,

I'm having one of the errors you mentioned: 'ssl.SSLError: [Errno 8] _ssl.c:504: EOF occurred in violation of protocol'

I'm not up to your level with command line stuff. Would you mind walking me through how I monkey patch the SSL module?

I think I monkey patched the socket module when I set up a new version of Python but that was the first time I'd touched and of this stuff and I'm not clear or it. Is monkey patching setting up a symbolic link? Pretty ure that's what I did.

Shannon Behrens said...

Sorry it's taken me so long to respond. Monkey patching isn't something you do at the command line or with symlinks. It refers to doing something in your program that dynamically patches some code. See (http://jjinux.blogspot.dk/2012/03/pycon-python-metaprogramming-for-mad.html).

Fran├žois Pinard said...

Sharon, thanks a lot for sharing your solution (monkey patching SSL). Finding it saved me a lot of time :-).

Shekhar said...

Thanks. You saved my day.

Shannon Behrens said...

Thanks, Shekhar :) That makes my day :)