pyca / pyopenssl Goto Github PK
View Code? Open in Web Editor NEWA Python wrapper around the OpenSSL library
Home Page: https://pyopenssl.org/
License: Apache License 2.0
A Python wrapper around the OpenSSL library
Home Page: https://pyopenssl.org/
License: Apache License 2.0
APIs like set_info_callback
don't have any way to retrieve the previously-set callback, so there's no way to non-destructively have two different libraries obtain information from the same context.
I'm having some issues with preserving compatibility guarantees within Twisted for folks who have set up their own Context
objects.
Connection.state_string() is defined and documented but its an empty method. If it is not possible to fix it (yet) could a call to this method raise a NotImplementedError or such alike?
Hi there,
now that pyOpenSSL 0.14 is seemingly released, could you please provide (win32) binaries? This might be especially valueable as compiling with mingw32 doesn't work out of the box on Windows right now.
Thanks!
Max
Trying to install pyopenssl on python 2.7.6 (windows xp) using latest from git: python setup.py install
results in:
error: Setup script exited with error: Unable to find vcvarsall.bat
I don't see any requirement of visual studio for pyopenssl listed anywhere..
D:\pyopenssl>python setup.py install
running install
running bdist_egg
running egg_info
writing requirements to pyOpenSSL.egg-info\requires.txt
writing pyOpenSSL.egg-info\PKG-INFO
writing top-level names to pyOpenSSL.egg-info\top_level.txt
writing dependency_links to pyOpenSSL.egg-info\dependency_links.txt
reading manifest file 'pyOpenSSL.egg-info\SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files matching '*.pyc' found anywhere in distribution
no previously-included directories found matching 'doc\_build'
writing manifest file 'pyOpenSSL.egg-info\SOURCES.txt'
installing library code to build\bdist.win32\egg
running install_lib
running build_py
creating build\bdist.win32\egg
creating build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\crypto.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\rand.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\SSL.py -> build\bdist.win32\egg\OpenSSL
creating build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\test_crypto.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\test_rand.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\test_ssl.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\util.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\test\__init__.py -> build\bdist.win32\egg\OpenSSL\test
copying build\lib\OpenSSL\tsafe.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\version.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\_util.py -> build\bdist.win32\egg\OpenSSL
copying build\lib\OpenSSL\__init__.py -> build\bdist.win32\egg\OpenSSL
byte-compiling build\bdist.win32\egg\OpenSSL\crypto.py to crypto.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\rand.py to rand.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\SSL.py to SSL.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\test_crypto.py to test_crypto.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\test_rand.py to test_rand.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\test_ssl.py to test_ssl.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\util.py to util.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\test\__init__.py to __init__.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\tsafe.py to tsafe.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\version.py to version.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\_util.py to _util.pyc
byte-compiling build\bdist.win32\egg\OpenSSL\__init__.py to __init__.pyc
creating build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\PKG-INFO -> build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\SOURCES.txt -> build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\dependency_links.txt -> build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\requires.txt -> build\bdist.win32\egg\EGG-INFO
copying pyOpenSSL.egg-info\top_level.txt -> build\bdist.win32\egg\EGG-INFO
zip_safe flag not set; analyzing archive contents...
creating 'dist\pyOpenSSL-0.14a4-py2.7.egg' and adding 'build\bdist.win32\egg' to it
removing 'build\bdist.win32\egg' (and everything under it)
Processing pyOpenSSL-0.14a4-py2.7.egg
Removing c:\python27\lib\site-packages\pyOpenSSL-0.14a4-py2.7.egg
Copying pyOpenSSL-0.14a4-py2.7.egg to c:\python27\lib\site-packages
pyOpenSSL 0.14a4 is already the active version in easy-install.pth
Installed c:\python27\lib\site-packages\pyopenssl-0.14a4-py2.7.egg
Processing dependencies for pyOpenSSL==0.14a4
Searching for cryptography>=0.1
Reading https://pypi.python.org/simple/cryptography/
Best match: cryptography 0.1
Downloading https://pypi.python.org/packages/source/c/cryptography/cryptography-0.1.tar.gz#md5=bdc1c5fe069deca7467b71a0cc538f17
Processing cryptography-0.1.tar.gz
Writing c:\docume~1\username\locals~1\temp\easy_install-dhbxc3\cryptography-0.1\setup.cfg
Running cryptography-0.1\setup.py -q bdist_egg --dist-dir c:\docume~1\username\locals~1\temp\easy_install-dhbxc3\cryptography-0.1\egg-dist-tmp-xgecl7
Searching for cffi>=0.6
Reading https://pypi.python.org/simple/cffi/
Best match: cffi 0.8.1
Downloading https://pypi.python.org/packages/source/c/cffi/cffi-.8.1.tar.gz#md5=1a877bf113bfe90fdefedbf9e39310d2
Processing cffi-0.8.1.tar.gz
Writing c:\docume~1\username\locals~1\temp\easy_install-dhbxc3\cryptography-0.1\temp\easy_install-3vl6qf\cffi-0.8.1\setup.cfg
Running cffi-0.8.1\setup.py -q bdist_egg --dist-dir c:\docume~1\username\locals~1\temp\easy_install-dhbxc3\cryptography-0.1\temp\easy_install-3vl6qf\cffi-0.8.1\egg-dist-tmp-hifh2a
error: Setup script exited with error: Unable to find vcvarsall.bat
OpenSSL.test.test_ssl.ConnectionTests.test_wantWriteError() fails in the same way with each version of Python (2.6, 2.7, 3.1, 3.2, 3.3, 3.4).
OpenSSL 1.0.1f, cryptography 0.2.2, Gentoo GNU/Linux.
======================================================================
FAIL: test_wantWriteError (OpenSSL.test.test_ssl.ConnectionTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/pyopenssl/OpenSSL/test/test_ssl.py", line 1925, in test_wantWriteError
"Failed to fill socket buffer, cannot test BIO want write")
AssertionError: Failed to fill socket buffer, cannot test BIO want write
======================================================================
It is failure in earlier part of test function than in issue #37.
Just picked up pyOpenSSL coding, and the same error cannot be debugged. It's just the most basical implementation of loading private key and signing something. Here's my code:
from OpenSSL.crypto import load_privatekey, FILETYPE_PEM, sign
import base64
key = load_privatekey(FILETYPE_PEM, open("C:\Users\Gio\SSL\gioCA\newcerts\01.pem").read())
content = "test_message"
d = sign(key, content, 'sha1')
b = base64.b64encode(d)
print(b)
And the errors are as below:
Traceback (most recent call last):
File "F:\workspace\myFirst\encrytion.py", line 5, in
key = load_privatekey(FILETYPE_PEM, open("C:\Users\Gio\SSL\gioCA\newcerts\01.pem").read())
File "C:\Python33\lib\site-packages\pyOpenSSL-0.14-py3.3.egg\OpenSSL\crypto.py", line 2010, in load_privatekey
File "C:\Python33\lib\site-packages\pyOpenSSL-0.14-py3.3.egg\OpenSSL_util.py", line 22, in exception_from_error_queue
OpenSSL.crypto.Error: []
Can anyone solve this problem?
Is this a known issue?
[pyopenssl] sholsapp@sholsapp-ld(~/workspace/pyopenssl) $ python setup.py test
running test
running egg_info
writing requirements to pyOpenSSL.egg-info/requires.txt
writing pyOpenSSL.egg-info/PKG-INFO
writing top-level names to pyOpenSSL.egg-info/top_level.txt
writing dependency_links to pyOpenSSL.egg-info/dependency_links.txt
reading manifest file 'pyOpenSSL.egg-info/SOURCES.txt'
reading manifest template 'MANIFEST.in'
warning: no previously-included files matching '*.pyc' found anywhere in distribution
no previously-included directories found matching 'doc/_build'
writing manifest file 'pyOpenSSL.egg-info/SOURCES.txt'
running build_ext
test_add_revoked_keyword (OpenSSL.test.test_crypto.CRLTests) ... ok
test_add_revoked_wrong_args (OpenSSL.test.test_crypto.CRLTests) ... ok
test_construction (OpenSSL.test.test_crypto.CRLTests) ... ok
test_construction_wrong_args (OpenSSL.test.test_crypto.CRLTests) ... ok
test_export (OpenSSL.test.test_crypto.CRLTests) ... ok
test_export_invalid (OpenSSL.test.test_crypto.CRLTests) ... Segmentation fault (core dumped)
[pyopenssl] sholsapp@sholsapp-ld(~/workspace/pyopenssl) $ uname -a
Linux sholsapp-ld 2.6.32-131.4.1.el6.x86_64 #1 SMP Fri Jun 10 10:54:26 EDT 2011 x86_64 x86_64 x86_64 GNU/Linux
This bit me when using MacPorts on OS X, which comes with OpenSSL
0.9.8 installed. Here's what I did:
% port install openssl pypy virtualenv27
...
% port list openssl
openssl @1.0.1g devel/openssl
% virtualenv-2.7 --python=pypy foo
% ./foo/bin/pip install pyOpenSSL
...
SSL connections would die without fuss from a simple test server when using an EC key pair (e.g., this self-signed test key and crt):
% ./foo/bin/python test.py &
% curl --verbose -k 'https://127.0.0.1:4443/'
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 4443 (#0)
* successfully set certificate verify locations:
* CAfile: .../share/curl/curl-ca-bundle.crt
CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
This didn't happen when using RSA key pairs. With the help of kind folks on #cryptography-dev
, I learned that cryptography
was linking against the wrong version of OpenSSL
:
% ./foo/bin/python -c 'from OpenSSL.SSL import SSLEAY_VERSION, SSLeay_version ; print(SSLeay_version(SSLEAY_VERSION))'
OpenSSL 0.9.8y 5 Feb 2013
There is a fix (i.e., a manual pip install cryptography
that forces building against the right version). However, what would have been extremely helpful is if pyOpenSSL
(or perhaps cryptography
, I don't know the best place) raised an exception to callers who try using EC key pairs with OpenSSL
0.9.8 (where EC is apparently broken).
callback is defined as (copied from test)
def info(conn, where, ret):
called.append((conn, where, ret))
context = Context(TLSv1_METHOD)
context.set_info_callback(info)
In previous pyOpenSSL version conn
was OpenSSL.SSL.Connection
In latest version it is OpenSSL.SSL.Context.
As stated by the comment, the test current test is lame:
https://github.com/pyca/pyopenssl/blob/master/OpenSSL/test/test_ssl.py#L711
I hope that the latest version can be fixed to obtain the connection in the callback as getting the Context is not much help as the code should already have a reference to the Context.
Thanks!
===============================================================================
[FAIL]
Traceback (most recent call last):
File "/usr/local/lib/python2.7/unittest/case.py", line 331, in run
testMethod()
File "/home/kouk/code/pyopenssl/OpenSSL/test/test_crypto.py", line 1454, in test_digest
b("A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15"))
File "/usr/local/lib/python2.7/unittest/case.py", line 515, in assertEqual
assertion_func(first, second, msg=msg)
File "/usr/local/lib/python2.7/unittest/case.py", line 508, in _baseAssertEqual
raise self.failureException(msg)
exceptions.AssertionError: 'C1:B5:90:A4:41:11:C8:30:BF:D4:AA:78:13:46:66:59' != 'A8:EB:07:F8:53:25:0A:F2:56:05:C5:A5:C4:C4:C7:15'
OpenSSL.test.test_crypto.X509Tests.test_digest
-------------------------------------------------------------------------------
This on FreeBSD 9.2-RELEASE #0 r255898
, amd64
with cryptography
compiled against OpenSSL 1.0.1f 6 Jan 2014
. Same thing also on Windows 8 64 bit with the same OpenSSL version.
There are other failures as well but they are being addressed in separate issues.
I want this for testing. Today I found that I had a totally useless unit test because of a discrepancy between my FakeContext(Factory)
and a real context factory from Twisted. The only reason the fake class exists is that Context isn't really very introspectable...
Like #61, there's a good chance this requires cryptography to expose some stuff first.
Basically doing pip install <pyopenssl>
doesn't actually install cryptography. This can be done by using setuptools
and install_requires=["cryptography"]
in the call to setup()
.
Documentation talks about building an extension, but with the new code the extension building steps were move the the external cryptography project.
Is this version still tested on Solaris 2.6 and 2.7 ?
It would be nice to have a list of tested platforms.
With the new changes, is the documentation for internals still valid https://github.com/pyca/pyopenssl/blob/master/doc/internals.rst ?
No need to rewrite it now, but maybe a warning would help so that developers will read those lines with great care.
Thanks!
pyOpenSSL should support ALPN/NPN since OpenSSL now supports it:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f017a8f9db3a79f3a3406cf8d493ccd346db691
I now see that users mailing list was moved.
I have not received any email on [email protected] to announce the move.
Maybe an email should be sent on the old list to inform users to move on the new one.
Also maybe the new README file could include a link to the new mailinglist.
Maybe also update http://sourceforge.net/projects/pyopenssl/ Website link and new bug tracker link http://sourceforge.net/p/pyopenssl/support-requests/?source=navbar
Thanks!
Could be that I've missed this in the documentation, but there does not appear to be a way to access the method (as in SSLv23_METHOD
) of an already existing context.
I want this for writing tests.
I wanted to play around with pyOpenSSL’s alpha release and our new TLS features in Twisted and ran into a problem: If I build cryptography with homebrew’s OpenSSL (1.0.1e), I get the following traceback:
Traceback (most recent call last):
File "treq_ciphers.py", line 4, in <module>
import treq
File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/treq/__init__.py", line 3, in <module>
from treq.api import head, get, post, put, patch, delete, request
File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/treq/api.py", line 1, in <module>
from treq.client import HTTPClient
File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/treq/client.py", line 9, in <module>
from twisted.web.client import (
File "/Users/hynek/Projects/Twisted/twisted/web/client.py", line 31, in <module>
from twisted.web import http
File "/Users/hynek/Projects/Twisted/twisted/web/http.py", line 93, in <module>
from twisted.internet import interfaces, reactor, protocol, address
File "/Users/hynek/Projects/Twisted/twisted/internet/reactor.py", line 38, in <module>
from twisted.internet import default
File "/Users/hynek/Projects/Twisted/twisted/internet/default.py", line 56, in <module>
install = _getInstallFunction(platform)
File "/Users/hynek/Projects/Twisted/twisted/internet/default.py", line 50, in _getInstallFunction
from twisted.internet.selectreactor import install
File "/Users/hynek/Projects/Twisted/twisted/internet/selectreactor.py", line 18, in <module>
from twisted.internet import posixbase
File "/Users/hynek/Projects/Twisted/twisted/internet/posixbase.py", line 24, in <module>
from twisted.internet import error, udp, tcp
File "/Users/hynek/Projects/Twisted/twisted/internet/tcp.py", line 29, in <module>
from twisted.internet._newtls import (
File "/Users/hynek/Projects/Twisted/twisted/internet/_newtls.py", line 21, in <module>
from twisted.protocols.tls import TLSMemoryBIOFactory, TLSMemoryBIOProtocol
File "/Users/hynek/Projects/Twisted/twisted/protocols/tls.py", line 44, in <module>
Connection(Context(TLSv1_METHOD), None)
File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/OpenSSL/SSL.py", line 269, in __init__
_raise_current_error()
File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/OpenSSL/_util.py", line 14, in exception_from_error_queue
ffi.string(lib.ERR_func_error_string(error)),
File "/Users/hynek/.virtualenvs/6a9b7aac7004383e/lib/python2.7/site-packages/cffi/api.py", line 251, in string
return self._backend.string(cdata, maxlen)
RuntimeError: cannot use string() on <cdata 'char *' NULL>
https://www.openssl.org/docs/apps/x509v3_config.html#Basic_Constraints_
I was trying to write a test case that verified a certificate chain "for real" and I noticed that there doesn't seem to be a way to set basicConstraints
so that OpenSSL thinks an intermediate certificate is a valid CA.
I upgraded from 0.13.1 to 0.14 and got several errors. One was that several methods that took filenames have been changed to only accept binary strings instead of regular unicode strings. I worked around that, but not sure why there was a change.
What I haven't been able to fix is the verify callback called in set_verify
. The docs still say the first object passed is a "A Connection object", but I am now getting a "OpenSSL.SSL.Context object".
Is this an issue with the docs or the code?
Is it implemented? Any documentation on how to use it?
I'd like to have some heuristics in Twisted for determining whether the system “probably” has some valid trust roots, so that the verification-failure error contains an explanation that a system administrator might be able to use to understand how to fetch some and actually have sensible certificate verification, rather than getting frustrated and falling back to plaintext.
One way to have such a heuristic (given that OpenSSL itself doesn't appear to expose any way to enumerate the certificates within an X509_STORE*
) is to have some cached offline “known good” and “known bad” certificates and attempt to verify them and see what happens; the API to do this doesn't seem to be exposed by pyOpenSSL.
PyPI says that it's currently serving 0.14 and Github says that its last release is 0.14, yet X509Req.get_extensions() exists in GitHub, but not in PyPI.
Can you look into this? I have an an immediate need for it.
Thanks.
OpenSSL.test.test_ssl.ContextTests.test_set_default_verify_paths() triggers error when network connection is absent. It is the only test in pyOpenSSL test suite with this problem.
======================================================================
ERROR: test_set_default_verify_paths (OpenSSL.test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/tmp/pyopenssl/OpenSSL/test/test_ssl.py", line 930, in test_set_default_verify_paths
client.connect(('verisign.com', 443))
socket.gaierror: [Errno -3] Temporary failure in name resolution
======================================================================
Possible fix:
--- OpenSSL/test/test_ssl.py
+++ OpenSSL/test/test_ssl.py
@@ -8,7 +8,7 @@
from gc import collect, get_referrers
from errno import ECONNREFUSED, EINPROGRESS, EWOULDBLOCK, EPIPE, ESHUTDOWN
from sys import platform, version_info
-from socket import SHUT_RDWR, error, socket
+from socket import SHUT_RDWR, error, gaierror, socket
from os import makedirs
from os.path import join
from unittest import main
@@ -927,7 +927,11 @@
lambda conn, cert, errno, depth, preverify_ok: preverify_ok)
client = socket()
- client.connect(('verisign.com', 443))
+ try:
+ client.connect(('verisign.com', 443))
+ except gaierror:
+ # Absent network connection or verisign.com inaccessible.
+ return
clientSSL = Connection(context, client)
clientSSL.set_connect_state()
clientSSL.do_handshake()
The get_privatekey() and get_certificate().get_pubkey() don't allow access to the PEM/DER key-data.
>>> with open('certificate.p12', 'rb') as f:
... p = f.read()
...
>>> c = load_pkcs12(p, 'passphrase')
>>> dir(c.get_privatekey())
['__class__', '__delattr__', '__doc__', '__format__', '__getattribute__', '__hash__', '__init__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', 'bits', 'check', 'generate_key', 'type']
I was trying to insatll pyopenssl on my mac using python setup.py install. I got the following error message:
Traceback (most recent call last):
File "setup.py", line 75, in <module>
test_suite="OpenSSL")
File "/Users/Wu/anaconda/lib/python2.7/distutils/core.py", line 152, in setup
dist.run_commands()
File "/Users/Wu/anaconda/lib/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/Users/Wu/anaconda/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/install.py", line 74, in run
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/install.py", line 97, in do_egg_install
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 358, in run
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 574, in easy_install
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 625, in install_item
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 671, in process_distribution
File "build/bdist.macosx-10.5-x86_64/egg/pkg_resources.py", line 580, in resolve
File "build/bdist.macosx-10.5-x86_64/egg/pkg_resources.py", line 818, in best_match
File "build/bdist.macosx-10.5-x86_64/egg/pkg_resources.py", line 830, in obtain
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 593, in easy_install
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 623, in install_item
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 809, in install_eggs
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 1015, in build_and_install
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/easy_install.py", line 1000, in run_setup
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/sandbox.py", line 50, in run_setup
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/sandbox.py", line 100, in run
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/sandbox.py", line 52, in <lambda>
File "setup.py", line 156, in <module>
File "/Users/Wu/anaconda/lib/python2.7/distutils/core.py", line 152, in setup
dist.run_commands()
File "/Users/Wu/anaconda/lib/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/Users/Wu/anaconda/lib/python2.7/distutils/dist.py", line 971, in run_command
cmd_obj.ensure_finalized()
File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 109, in ensure_finalized
self.finalize_options()
File "build/bdist.macosx-10.5-x86_64/egg/setuptools/command/bdist_egg.py", line 108, in finalize_options
File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 312, in get_finalized_command
cmd_obj.ensure_finalized()
File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 109, in ensure_finalized
self.finalize_options()
File "/Users/Wu/anaconda/lib/python2.7/distutils/command/bdist.py", line 99, in finalize_options
self.plat_name = self.get_finalized_command('build').plat_name
File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 312, in get_finalized_command
cmd_obj.ensure_finalized()
File "/Users/Wu/anaconda/lib/python2.7/distutils/cmd.py", line 109, in ensure_finalized
self.finalize_options()
File "setup.py", line 75, in finalize_options
test_suite="OpenSSL")
File "/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/openssl/binding.py", line 83, in __init__
File "/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/openssl/binding.py", line 99, in _ensure_ffi_initialized
File "/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/utils.py", line 77, in build_ffi
File "/private/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cffi-0.8.2-py2.7-macosx-10.5-x86_64.egg/cffi/api.py", line 341, in verify
File "/private/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cffi-0.8.2-py2.7-macosx-10.5-x86_64.egg/cffi/verifier.py", line 75, in load_library
File "/private/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cffi-0.8.2-py2.7-macosx-10.5-x86_64.egg/cffi/verifier.py", line 151, in _load_library
File "/private/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cffi-0.8.2-py2.7-macosx-10.5-x86_64.egg/cffi/vengine_cpy.py", line 138, in load_library
cffi.ffiplatform.VerificationError: importing '/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_48bbf0ebx93c91939.so': dlopen(/var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_48bbf0ebx93c91939.so, 2): Library not loaded: libcrypto.1.0.0.dylib
Referenced from: /var/folders/wq/b5fcrhb931sbwq721hprjkc00000gn/T/easy_install-7fYQvg/cryptography-0.3/cryptography/hazmat/bindings/__pycache__/_Cryptography_cffi_48bbf0ebx93c91939.so
Reason: image not found
Can anyone help? Thanks.
OS: FreeBSD 9.2-STABLE #0 r260870
Python: 2.7.6
======================================================================
FAIL: test_set_verify_callback_exception (OpenSSL.test.test_ssl.ContextTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/mnt/home/user/repos/freebsd/ports/security/py-openssl/work/pyca-pyopenssl-0146d44/OpenSSL/test/test_ssl.py", line 1002, in test_set_verify_callback_exception
Exception, self._handshake_test, serverContext, clientContext)
File "/mnt/home/user/repos/freebsd/ports/security/py-openssl/work/pyca-pyopenssl-0146d44/OpenSSL/test/util.py", line 270, in failUnlessRaises
% (exception.__name__, result))
AssertionError: Exception not raised (None returned)
----------------------------------------------------------------------
In previous pyopenssl versions the API was fine with accepting strings as Unicode.
For example this was a valid code, which no longer works in latest version. Context.set_cipher_list(u'ALL')
The migration should not be a big deal, but I think that this needs to be documented.
Also, handling unicode paths in a cross-platform code is a bit messy since Python API on Linux sometimes accepts Unicode, sometimes byte string (depending on environment), and on Windows you always have to pass the path a Unicode.
Maybe OpenSSL.test.util.TestCase.mktemp should be changed to always return a unicode path, example via mktemp(dir='.', suffix=UNICODE_TEST_MARKER)
Thanks!
This function had no unit tests and didn't get ported.
I see a test failure with pyOpenSSL-0.14 and cryptography-0.2.2:
ERROR: test_set_default_verify_paths (OpenSSL.test.test_ssl.ContextTests)
Traceback (most recent call last):
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/test/test_ssl.py", line 933, in test_set_default_verify_paths
clientSSL.do_handshake()
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/SSL.py", line 1076, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/SSL.py", line 871, in _raise_ssl_error
_raise_current_error()
File "/scratch/security/py-OpenSSL/work/pyOpenSSL-0.14/OpenSSL/_util.py", line 22, in exception_from_error_queue
raise exceptionType(errors)
OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]
This is in a sandbox with no certificates installed, in case it matters, and openssl-1.0.1f.
This is what I got:
(Pdb) SSL.OP_ALL
2147486719L
(Pdb) context.set_options(self._OP_ALL)
*** TypeError: options must be an integer
(Pdb)
Python 2.7.3
pyopenssl 0.14a3
latest published version of cryptography , cffi, pycparse, six...etc
Ubuntu 12.04 - 32
OpenSSL 1.0.1 14 Mar 2012
Thanks!
Has this functionality been fixed? Is this the right area to ask this question?
def test_add_extensions(self):
"""
:py:obj:`X509Req.add_extensions` accepts a :py:obj:`list` of :py:obj:`X509Extension`
instances and adds them to the X509 request.
"""
request = X509Req()
request.add_extensions([
X509Extension(b('basicConstraints'), True, b('CA:false'))])
# XXX Add get_extensions so the rest of this unit test can be written.
I'd like to add this functionality and wanted to know if using X509.c as a template was a good idea or not.
From LICENSE:
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
For context (about how we are struggling to mitigate heartbleed's threat to our users), please see https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2215 and https://tahoe-lafs.org/pipermail/tahoe-dev/2014-April/008988.html .
Could you please make new releases of pyOpenSSL, named "0.14.1" and (for people like us who can't upgrade to the cffi-based build system yet) "0.13.1". The ".1"'s in these version numbers would serve as a signal, visible within the Python packaging metadata, that this particular package was built by someone who is aware of heartbleed and they intended to remove the heartbleed vuln from this package. Then Tahoe-LAFS (and Foolscap, and Twisted, etc.) can depend on "pyOpenSSL == 0.13.1, >= 0.14.1", to indicate their desire to listen to this signal.
Then the pyOpenSSL setup.py can help the builder of the package send the correct signal, by checking the version number of OpenSSL and refusing to build if it is one of the version numbers that had (in the upstream OpenSSL release) the heartbleed vuln.
Now, Debian and Ubuntu ship OpenSSL libraries which have a patch to fix the vuln but which still report the original upstream OpenSSL version numbers. No problem! When they build pyOpenSSL v0.13.1 and v0.14.1 packages, they will patch out that check that pyOpenSSL's setup.py does (or perhaps pyOpenSSL will offer a "--affirm-heartbleed-fix-is-present" build-time option for this), in order for them to correctly send the signal that their Debian/Ubuntu "python-openssl 0.13.1" or "python-openssl 0.14.1" package does not have the vuln.
Brewed or self-compiled OpenSSL’s are the only way ATM to get SSL support on OS X that isn’t completely pathetic.
As of now, if I run the script from https://gist.github.com/dreid/1c491ce3826d1c0541de , PyOpenSSL explodes (exposing issue #3, if I work around that I get the error message that no ciphers have been found); it works with the ancient (0.9.8y) system OpenSSL though.
Digging around has shown that adding
from cryptography.hazmat.bindings.openssl.binding import Binding
b = Binding()
b.lib.SSL_library_init()
at the beginning of the script from the gist makes it work.
My best guess would be that the system OpenSSL gets initialized as some side-effect from my system Python which it is linked against.
Currently there’s only one API for DH parameters that both loads and sets them on a context (Context.load_tmp_dh
).
There should be APIs to do these steps separately: i.e. load into memory and set on an context.
This is probably easy. travis can test it now, too.
On a 64bit build of Python on Windows 8 I tried to enable SNI support in pip. However I encountered an error because _asFileDescriptor
assumes file descriptors are ints (when on my system they are longs).
PS C:\Users\Balena\Documents\GitHub\pyopenssl\OpenSSL> pip.exe install -i https://pypi.longaccess.io/simple treq
Downloading/unpacking treq
Cleaning up...
Exception:
Traceback (most recent call last):
File "C:\Python27\lib\site-packages\pip\basecommand.py", line 122, in main
status = self.run(options, args)
File "C:\Python27\lib\site-packages\pip\commands\install.py", line 274, in run
requirement_set.prepare_files(finder, force_root_egg_info=self.bundle, bundle=self.bundle)
File "C:\Python27\lib\site-packages\pip\req\req_set.py", line 286, in prepare_files
url = finder.find_requirement(req_to_install, upgrade=self.upgrade)
File "C:\Python27\lib\site-packages\pip\index.py", line 194, in find_requirement
page = self._get_page(main_index_url, req)
File "C:\Python27\lib\site-packages\pip\index.py", line 568, in _get_page
session=self.session,
File "C:\Python27\lib\site-packages\pip\index.py", line 670, in get_page
resp = session.get(url, headers={"Accept": "text/html"})
File "C:\Python27\lib\site-packages\pip\_vendor\requests\sessions.py", line 395, in get
return self.request('GET', url, **kwargs)
File "C:\Python27\lib\site-packages\pip\download.py", line 237, in request
return super(PipSession, self).request(method, url, *args, **kwargs)
File "C:\Python27\lib\site-packages\pip\_vendor\requests\sessions.py", line 383, in request
resp = self.send(prep, **send_kwargs)
File "C:\Python27\lib\site-packages\pip\_vendor\requests\sessions.py", line 486, in send
r = adapter.send(request, **kwargs)
File "C:\Python27\lib\site-packages\pip\_vendor\requests\adapters.py", line 330, in send
timeout=timeout
File "C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\connectionpool.py", line 480, in urlopen
body=body, headers=headers)
File "C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\connectionpool.py", line 285, in _make_requ
st
conn.request(method, url, **httplib_request_kw)
File "C:\Python27\lib\httplib.py", line 973, in request
self._send_request(method, url, body, headers)
File "C:\Python27\lib\httplib.py", line 1007, in _send_request
self.endheaders(body)
File "C:\Python27\lib\httplib.py", line 969, in endheaders
self._send_output(message_body)
File "C:\Python27\lib\httplib.py", line 829, in _send_output
self.send(msg)
File "C:\Python27\lib\httplib.py", line 791, in send
self.connect()
File "C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\connection.py", line 164, in connect
ssl_version=resolved_ssl_version)
File "C:\Python27\lib\site-packages\pip\_vendor\requests\packages\urllib3\contrib\pyopenssl.py", line 377, in ssl_wra
_socket
cnx = OpenSSL.SSL.Connection(ctx, sock)
File "build\bdist.win-amd64\egg\OpenSSL\SSL.py", line 828, in __init__
set_result = _lib.SSL_set_fd(self._ssl, _asFileDescriptor(self._socket))
File "build\bdist.win-amd64\egg\OpenSSL\SSL.py", line 209, in _asFileDescriptor
raise TypeError("argument must be an int, or have a fileno() method.")
TypeError: argument must be an int, or have a fileno() method.
the test_closed
unit test is failing on Windows because the errno attribute is set to zero (the winerror is used instead) and the _raise_ssl_error
function asks for the errorcode[0]
which throws a KeyError.
======================================================================
FAIL: test_closed (OpenSSL.test.test_ssl.ConnectionSendallTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "c:\users\konstantinos\documents\github\pyopenssl\OpenSSL\test\test_ssl.py", line 1937, in test_closed
exc = self.assertRaises(SysCallError, server.sendall, b"hello, world")
File "c:\users\konstantinos\documents\github\pyopenssl\OpenSSL\test\util.py", line 266, in failUnlessRaises
exception.__name__,
AssertionError: <type 'exceptions.KeyError'> raised instead of SysCallError
----------------------------------------------------------------------
Ran 338 tests in 8.555s
FAILED (failures=1)
I upgraded from 0.13.1 to 0.14 and got several errors. One was that several methods that took filenames have been changed to only accept binary strings instead of regular unicode strings. So, in py3, bytes
instead of str
.
I think 0.13.1 actually had the opposite situation for some of those same methods where it only accepted a unicode string and not a binary string.
I think the underlying C library uses binary strings (ie no encoding enforced), so it makes sense to use that (on *nix). However, the python wrapper should be able to accept both and translate accordingly.
I'm not sure that #31 is actually fixed, but opted to create a new issue instead:
OS: FreeBSD 9.2-STABLE #0 r260870
Python: 2.7.6
======================================================================
FAIL: test_wantWriteError (OpenSSL.test.test_ssl.ConnectionTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/mnt/home/user/repos/freebsd/ports/security/py-openssl/work/pyca-pyopenssl-0146d44/OpenSSL/test/test_ssl.py", line 1931, in test_wantWriteError
self.assertRaises(WantWriteError, conn.do_handshake)
File "/mnt/home/user/repos/freebsd/ports/security/py-openssl/work/pyca-pyopenssl-0146d44/OpenSSL/test/util.py", line 266, in failUnlessRaises
exception.__name__,
AssertionError: <class 'OpenSSL.SSL.WantReadError'> raised instead of WantWriteError
----------------------------------------------------------------------
I can't figure out where MODE_NO_COMPRESSION comes from. I found it in the documentation and that appears to be the only reference in the source.
Upstream documentation appears to not have heard of it either. When I compile against my (current) OpenSSL, I can't find the symbol exported.
Following the pyOpenSSL documentation (http://pythonhosted.org//pyOpenSSL/api/crypto.html), the verify method accepts as input the following parameters: certificate, signature, data, digest. The same documentation says that "data is a str instance giving the data to which the signature applies".
This works well using pyOpenSSL 0.13 but when using pyOpenSSL 0.14, the method raises the following exception:
TypeError: 'initializer for ctype 'void *' must be a cdata pointer, not unicode'
This error is reproducible using pyOpenSSL 0.14 either in Python 2.7 or 3.3, and Django 1.6. I'm using Ubuntu 14.04 and OpenSSL 1.0.1f (1.0.1f-1ubuntu2).
The error is solved if using .encode()
The _raise_current_error
in Connection.shutdown
is incorrect because SSL_shutdown
can result in SSL_ERR_WANT_WRITE
or SSL_ERR_WANT_READ
. The way you discover this, according to the official documentation, is:
If the underlying BIO is non-blocking, SSL_shutdown() will also return when the underlying BIO could not satisfy the needs of SSL_shutdown() to continue the handshake. In this case a call to SSL_get_error() with the return value of SSL_shutdown() will yield SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.
The current behavior is that the error code is masked because the return code is lost.
@reaperhulk and I discussed this with @jamielennox. pyOpenSSL seems like a reasonable place to start this discussion. ccing: @hynek since I bet he has opinions.
How to add extensions to a crypto.CRL object? Is it possible? What about the version attribute?
OpenSSL.test.test_crypto.CRLTests.test_export
compares the string representations of two CRL objects.
From time to time the two objects differ in a specific way. One will include a section something like Last Update: Apr 19 22:36:25 2014 GMT
and the other will have a string like Last Update: Apr 19 22:36:26 2014 GMT
in the same place.
This is not a signal that the implementation is broken. It's just a reflection of the fact that the seconds value might turn over in between generation of the two strings.
The test should be robust against this circumstance so it doesn't spuriously fail sometimes.
Using system Python (2.7.2) and OpenSSL (0.9.8y) I consistently see the following test failure:
======================================================================
FAIL: test_wantWriteError (OpenSSL.test.test_ssl.ConnectionTests)
----------------------------------------------------------------------
Traceback (most recent call last):
File "/Users/jerith/code/pyopenssl/OpenSSL/test/test_ssl.py", line 1780, in test_wantWriteError
self.assertRaises(WantWriteError, conn.do_handshake)
File "/Users/jerith/code/pyopenssl/OpenSSL/test/util.py", line 262, in failUnlessRaises
exception.__name__,
AssertionError: <class 'OpenSSL.SSL.WantReadError'> raised instead of WantWriteError
----------------------------------------------------------------------
Is it time for a release yet? There's new functionality (like X509Req.get_extensions) that is not currently available in the PyPI version because there have been no releases due to open issues, yet there's only one issue and it's documentation-related.
Please release!
the following is a wrong issue reported by me (evilaliv3). sorry for the inconvenience.
given the vulnerability https://www.openssl.org/news/secadv_20140407.txt that affects OpenSSL 1.0.1 and 1.0.2-beta, it would be important to provide pyOpenSSL users a security notice in order to invite them to recompile pyOpenSSL on production environments against OpenSSL 1.0.1g.
Steps to do so:
[INSTALL OpenSSL 1.0.1g, it depends on the distribution used]
pip uninstall pyOpenssl -y
pip install pyOpenssl==0.14
[restart deployed applications]
distutils.errors.DistutilsError: Setup script exited with error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
I am using ubuntu 13.10
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.