System info: CentOS release 6.8 (Final) Linux lb-cam-11 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
sys.version '2.7.5 (default, Dec 10 2013, 00:34:00) \n[GCC 4.4.6 20120305 (Red Hat 4.4.6-4)]'
pip --version pip 8.1.2 from /tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg (python 2.7)
cherrypy.version '3.1.2'
I have a cherrypy app which I want to update to support https. I have eventually managed to get a local version working using a locally built version of python (later version of python 2.7.11 and later version of cherrypy 17.4.2) linking against a locally built version of openssl and installing pyOpenSSL (using pip).
However I need to get it working on our standard system where at the moment I have no control or access to default installation areas and seem to have opened up a can worms along the way. I was wondering if anyone can help answer some questions on the problems I have been seeing
My searches indicated that I need a cherrypy configuration that looks somehting like:
server_config={
'server.socket_host': socketserver,
'server.socket_port':socketport,
'server.ssl_module':'pyopenssl',
'server.ssl_certificate':certificate,
'server.ssl_private_key':private_key,
'server.ssl_certificate_chain':certificate_chain,
}
cherrypy.config.update(server_config) (and this is the config that is working on my local system)
However when I do this on our system I get exceptions being thrown indicating that pyOpenSSL is not installed: Using the standard python 2.7.5 and cherrypy v3.1.2 from tools I get the following output:
Traceback (most recent call last):
File "/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/cherrypy/process/servers.py", line 73, in _start_http_thread
self.httpserver.start()
File "/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/cherrypy/wsgiserver/__init__.py", line 1588, in start
self.bind(af, socktype, proto)
File "/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/cherrypy/wsgiserver/__init__.py", line 1624, in bind
raise ImportError("You must install pyOpenSSL to use HTTPS.")
ImportError: You must install pyOpenSSL to use HTTPS.
....
(loads more exceptions in a similar vein)
It seems there is also a built in ssl module which looks like I should also be able to use by specifying 'server.ssl_module':'builtin' However when I try that on my standard system I get the same sort of errors !:
Traceback (most recent call last):
File "/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/cherrypy/process/servers.py", line 73, in _start_http_thread
self.httpserver.start()
File "/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/cherrypy/wsgiserver/__init__.py", line 1588, in start
self.bind(af, socktype, proto)
File "/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/cherrypy/wsgiserver/__init__.py", line 1624, in bind
raise ImportError("You must install pyOpenSSL to use HTTPS.")
ImportError: You must install pyOpenSSL to use HTTPS.
.....
If I try the builtin configuration on my local machine where everything works using pyopenssl I see the following error:
[16/Jul/2020:15:35:53] ENGINE Started monitor thread 'Autoreloader'.
Exception in thread Thread-2:
Traceback (most recent call last):
File "/lb-cam-bca-13/usr/local/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/lb-cam-bca-13/usr/local/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "/lb-cam-bca-13/localprojects/python2/lib/python2.7/site-packages/cheroot/ssl/builtin.py", line 74, in <lambda>
server_side=True,
File "/lb-cam-bca-13/usr/local/lib/python2.7/ssl.py", line 352, in wrap_socket
_context=self)
File "/lb-cam-bca-13/usr/local/lib/python2.7/ssl.py", line 537, in __init__
socket.__init__(self, _sock=sock._sock)
AttributeError: '_socket.socket' object has no attribute '_sock'
(I see similar errors if I config with 'ssl' rather than 'builtin')
- Does anyone know if should I be able to use the builtin ssl module in python 2.7 to configure https on cherrypy ? If yes, any idea why I am getting these errors ?
My next step was to try and install pyOpenSSL in a local area using pip. However when I try to do that I get the following error:
pip install --install-option="--prefix=/home/camtest/python/2.7.x/local-site-packages" pyopenssl
/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/commands/install.py:180: UserWarning: Disabling all use of wheels due to the use of --build-options / --global-options / --install-options.
cmdoptions.check_install_build_global(options)
Collecting pyopenssl
/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
SNIMissingWarning
/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Could not fetch URL https://pypi.python.org/simple/pyopenssl/: There was a problem confirming the ssl certificate: [Errno 1] _ssl.c:504: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version - skipping
Could not find a version that satisfies the requirement pyopenssl (from versions: )
No matching distribution found for pyopenssl
/tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages/pip-8.1.2-py2.7.egg/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
Does anyone know what is happening here ? It looks like it is moaning about the tls version - does that mean it does not like the version of openssl that python was built with ? (I did not see this issue on my local machine where I built python against a later version of openssl) ?
Does this mean that using pip is completely ruled out because the python site no longer supports ssl/tls being used ?
My searches on this brought me to this link: Unable to install Python packages using pip in Ubuntu Linux: InsecurePlatformWarning, SSLError, tlsv1 alert protocol version which goes some way to explaining it, but I did not fully understand it, so will have to go through it again (even to understand it enough to ask questions about it.).
However from this link I saw that it might be possible to install packages using .whl files without the need for re-compilation. So I downloaded https://files.pythonhosted.org/packages/9e/de/f8342b68fa9e981d348039954657bdf681b2ab93de27443be51865ffa310/pyOpenSSL-19.1.0-py2.py3-none-any.whl and tried to install it locally using pip, but got the following output:
$ pip install --user --no-index ~/wheels_dir/*
Ignoring indexes: https://pypi.python.org/simple
Processing ./pyOpenSSL-19.1.0-py2.py3-none-any.whl
Requirement already satisfied (use --upgrade to upgrade): six>=1.5.2 in /tools/oss/packages/x86_64-rhel6/python/2.7.5/lib/python2.7/site-packages (from pyOpenSSL==19.1.0)
Collecting cryptography>=2.8 (from pyOpenSSL==19.1.0)
Could not find a version that satisfies the requirement cryptography>=2.8 (from pyOpenSSL==19.1.0) (from versions: )
No matching distribution found for cryptography>=2.8 (from pyOpenSSL==19.1.0)
I did also try downloading all the .whl files suggested in the link, but got the following output: pip install --user --no-index ~/wheels_dir/* Ignoring indexes: https://pypi.python.org/simple cffi-1.14.0-cp27-cp27mu-manylinux1_x86_64.whl is not a supported wheel on this platform.
- Does anyone know if this approach would work if it was done in the correct fashion ?
Finally I tried downloading the source tarball for pyOpenSSL-19.1.0 and installing it locally using 'python setup.py install --user'. Bot again I get a similar error:
Download error on https://pypi.python.org/simple/: [Errno 1] _ssl.c:504: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version -- Some packages may not be found!
No local packages or working download links found for cryptography>=2.8
error: Could not find suitable distribution for Requirement.parse('cryptography>=2.8')
Everything seems to be pointing to an incompatibility in ssl/tls versions being used, but I am not sure between what. Is it entirely down to the version of openssl python was built with and the version used by the pyOpenSSL module ? Or are there other dependencies ?
Would it be possible to do this if I had the version pyOpenSSL (and any related modules)that matched the openssl version that python was built with ? If so how would one go about determining what the correct modules to install are ? Or is it simply not possible without building python against a later version of openssl ?
