473,842 Members | 1,553 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Wierd M2Crypto bug - phony "peer did not return certificate" error

Here's a wierd problem:

I have a little test case for M2Crypto, which just opens up SSL connections to
web servers and reads their certificates. This works fine.

But if I execute

socket.setdefau lttimeout(5.0)

so that the sockets don't wait too long if there's no SSL server, I get
a "peer did not return certificate" exception every time.

Environment:
Windows 2000 SP 4
M2Crypto: M2Crypto-0.17.win32-py2.4.exe
Python: Python 2.4.4 (#71, Oct 18 2006, 08:34:43)
OpenSSL: Win32 OpenSSL v0.9.8d

Notes:
Running M2Crypto does NOT use the version of OpenSSL that comes
with Python. You have to install OpenSSL separately, or
M2Crypto's DLL won't find the OpenSSL DLLS.

There's a good chance that this may be related to:

[ python-Bugs-1098618 ] socket.setdefau lttimeout() breaks smtplib.starttl s()

But that should have been fixed in Python 2.4.4, right? Or did that patch
not make it in?

John Nagle

(And no, I can't run Python 2.5, because MySQLdb support doesn't work for
2.5 yet.)

Jan 10 '07 #1
8 3291
John Nagle wrote:
I have a little test case for M2Crypto, which just opens up SSL
connections to
web servers and reads their certificates. This works fine.

But if I execute

socket.setdefau lttimeout(5.0)
Yup, this is a known problem, this breaks all M2Crypto code that uses
sockets. The Twisted wrapper part still works, as it hands the network
activity to Twisted.

If you can make do without setdefaulttimeo ut you should be fine.

This is bug https://bugzilla.osafoundation.org/show_bug.cgi?id=2341

The bug has a patch that works on Linux, but it would need Windows and
Mac specific parts before it can be checked in.

--
Heikki Toivonen
Jan 10 '07 #2
That's a problem for me. I need short timeouts; I'm accessing sites
that might or might not have SSL support, and I need to quickly time
out when there's no SSL server.

PyOpenSSL handles timeout correctly, but M2Crypto does not. On the
other hand, M2Crypto actually checks certificates, which PyOpenSSL does
not. So we have two broken implementations .

Python needs a merge here. Read Guido van Rossum's rant on M2Crypto:

http://www.artima.com/weblogs/viewpost.jsp?thread=95863

Both of these packages contain wrappers for OpenSSL, but both wrappers
are incompatible and buggy. M2Crypto also has some Python components.
The PyOpenSSL wrapper, which ships with Python, doesn't expose enough
of the OpenSSL API. M2Crypto exposes more of the API, but doesn't work
as well.

What's probably needed is to implement the additional API functions of
the M2Crypto wrapper in the PyOpenSSL wrapper, so that the M2Crypto
components written in Python could be used with it. Then we'd have one
good implementation instead of two broken ones.

John Nagle
na***@animats.c om

(News feed broken, using Google Groups as backup.)

Jan 11 '07 #3
na***@animats.c om wrote:
That's a problem for me. I need short timeouts; I'm accessing sites
that might or might not have SSL support, and I need to quickly time
out when there's no SSL server.
You should be able to do short timeouts, just not using the global
setdefaulttimeo ut. Have you tried Connection.set_ socket_read/write_timeout?

Also like I mentioned before, if you use the Twisted wrapper and let
Twisted handle network stuff you should be fine.
Python needs a merge here. Read Guido van Rossum's rant on M2Crypto:

http://www.artima.com/weblogs/viewpost.jsp?thread=95863
That's old news, I believe I have fixed all of the issues mentioned
there already in the 0.16 release.
What's probably needed is to implement the additional API functions of
the M2Crypto wrapper in the PyOpenSSL wrapper, so that the M2Crypto
components written in Python could be used with it. Then we'd have one
good implementation instead of two broken ones.
M2Crypto and pyOpenSSL (and pyOpenSSL-extended, which you might want to
take a look at as well) are implemented pretty differently, so merging
seems unlikely. They are pretty small code wise, though, so it is not an
impossible task.

Personally I think I'd prefer if Python stdlib contained a better SSL
module that did at least all the checks required for safe SSL
connection. (Yeah, yeah, maybe I need to write it myself if nobody else
gets to it;)

--
Heikki Toivonen
Jan 11 '07 #4
Heikki Toivonen wrote:
na***@animats.c om wrote:
> That's a problem for me. I need short timeouts; I'm accessing sites
that might or might not have SSL support, and I need to quickly time
out when there's no SSL server.


You should be able to do short timeouts, just not using the global
setdefaulttimeo ut. Have you tried Connection.set_ socket_read/write_timeout?
Yes. That does not affect the connect timeout; it's only effective once
the connection has been opened. And adjusting the session timeout
just recreates the blocking/non blocking problem.

Incidentally, "get_socket_rea d_timeout()" doesn't work. Generates
"EXCEPTION at socket level: unpack str size does not match format",
every time, at least with Python 2.4 on Windows. The lower level
function returns one number as a string, like "7200", and the unpack
function tries to unpack it as "ll", which fails.
Also like I mentioned before, if you use the Twisted wrapper and let
Twisted handle network stuff you should be fine.
That would mean struggling with Twisted and dealing with its bugs.
(For example, has the MySQLdb mess been resolved for Twisted's API?)
This isn't a long-running application; it usually runs as a CGI program.
So Twisted is inappropriate.
M2Crypto and pyOpenSSL (and pyOpenSSL-extended, which you might want to
take a look at as well) are implemented pretty differently, so merging
seems unlikely. They are pretty small code wise, though, so it is not an
impossible task.
That seened good idea, and so I downloaded the source and tried to build
it on a Windows machine to run with Python 2.4. But that build needs
(exactly) Visual Studio 7.1, which I don't have. It also wants a specific
version of OpenSSL, and has a build file which seems to assume a 1998 version
of Visual C++. The last change was in 1995, and it's still at an 0.x version,
so it's effectively abandonware. I have some doubts that it really works
any more. I saw some Python 2.2/2.3 specific code in there.

I could try building on a Linux system, but it's useful to me if Python
works on both Windows and Linux.
>
Personally I think I'd prefer if Python stdlib contained a better SSL
module that did at least all the checks required for safe SSL
connection. (Yeah, yeah, maybe I need to write it myself if nobody else
gets to it;)
What I need is proper SSL operation, certificate chain validation,
useful exception info when a connection fails (including why), and
read acess to the certificate itself in some reasonably sane form.
And I need to time out an SSL connection if it can't connect and
verify within 4 seconds. It's embarassing that this doesn't work,
despite four different wrappers for OpenSSL.

I'm willing to spend a few hundred dollars towards making this happen.

John Nagle
Jan 12 '07 #5
OK, I have a one-line fix.

To Connection.py of M2Crypto:

def connect(self, addr):
self.socket.con nect(addr)
self.addr = addr
self.socket.set timeout(None) # Back to normal timeout (NEW)
self.setup_ssl( )
self.set_connec t_state()
ret = self.connect_ss l()
check = getattr(self, 'postConnection Check', self.clientPost ConnectionCheck )
if check is not None:
if not check(self.get_ peer_cert(), self.addr[0]):
raise Checker.SSLVeri ficationError, 'post connection check failed'
return ret
After the socket is connected, we turn its timeout off.

The effect is that if the caller sets

socket.setdefau lttimeout(timeo utsecs)

before creating the Connection object, that will set the connection
timeout. The socket will be created as non-blocking, but before
any reads or writes are done, we clear the timeout, making it blocking
again. So the connection will time out as requested, but we won't
get errors because the socket is non-blocking and is being used by
code that expects it to block.

Gets usable connection timeouts, and prevents bogus "peer did not
return certificate" errors.

John Nagle
Animats

Jan 12 '07 #6
John Nagle wrote:
def connect(self, addr):
self.socket.con nect(addr)
self.addr = addr
self.socket.set timeout(None) # Back to normal timeout (NEW)
I am not sure if this is always appropriate. In fact, doesn't this just
eliminate the timeout completely from this connection?

In your case you could achieve what you want by calling
connection_obje ct.socket.setti meout(4.0) method just before calling
connect, without needing to edit M2Crypto itself.

setdefaulttimeo ut, socket.settimeo ut and socket.setblock ing are pretty
confusing...

--
Heikki Toivonen
Jan 13 '07 #7
Heikki Toivonen wrote:
John Nagle wrote:
>>def connect(self, addr):
self.socket.con nect(addr)
self.addr = addr
self.socket.set timeout(None) # Back to normal timeout (NEW)


I am not sure if this is always appropriate. In fact, doesn't this just
eliminate the timeout completely from this connection?

In your case you could achieve what you want by calling
connection_obje ct.socket.setti meout(4.0) method just before calling
connect, without needing to edit M2Crypto itself.
No, this actually works right. It seems that the default timeout
controls the timeout on TCP connect, but puts the socket into
non-blocking mode. So, if as soon as a TCP connection is
opened, but before the SSL handshake starts, the socket timeout
is set to None, then the socket returns to blocking mode before
its first read.

At least on Windows. More later on how this works on Linux.

John Nagle
Jan 13 '07 #8
Feb 2 '07 #9

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
2734
by: Ann Huxtable | last post by:
I have the following code segment - which compiles fine. I'm just worried I may get run time probs - because it looks like the functions are being overloaded by the return types?. Is this Ok: ? template <class T1, class T2> int getValue( T1 col, T2 row ) ; template <class T1, class T2> double getValue( T1 col, T2 row ) ;
32
8906
by: Mike Machuidel | last post by:
Hi, I'm a game developer programming mostly in C and ASM for about 7 years. Today at work a colleague (a C++ programmer) yelled at me I'm a bad C programmer because I use "return(0);" instead of "return 0;". He explained that "return" is not a function but a stament, like I didn't know already. The other colleagues also argreed with him :(. Can someone please explain what's so wrong about using "return" with
15
6740
by: Greenhorn | last post by:
Hi, when a function doesn't specify a return type ,value what value is returned. In the below programme, the function sample()is returning the value passed to 'k'. sample(int); main() { int i = 0,j; j = sample(0);
2
6752
by: Don Isgitt | last post by:
Environment: Server running Redhat 3.2.3-20 on quad Xeon 2.4 Postgresql 7.4 compiled from source (gcc 3.2.3) Application written in Perl (5.8.0) using Tk, DBI and DBD Client accessing DB using ODBC (7.03.02) from Win XP box Sample of errors follows: 2004-04-26 10:15:38 LOG: 00000: connection authorized: user=djisgitt database=gds2
0
2200
by: Albrecht | last post by:
Hello, I try to cross-compile mySql 5.0.18 on a suse linux machine to mipsel-linux. However, configure fails: CC=mipsel-linux-gcc LD=mipsel-linux-ld ./configure --prefix=/usr/downloads/mySQL5/mysql-5.0.18/prefix --without-server --host=mipsel-linux --build=i686-pc-linux-gnu --enable-thread-safe-client --cache-file=config.cache
40
3170
by: Mark P | last post by:
I'm implementing an algorithm and the computational flow is a somewhat deep. That is, fcn A makes many calls to fcn B which makes many calls to fcn C, and so on. The return value of the outermost fcn is a boolean and there are certain places within the inner functions where it may become apparent that the return value is false. In this case I'd like to halt the computation immediately and return false. My current approach is to have...
1
3627
by: Xerxes | last post by:
Hi, I get the "Invalid return" error (in Javascript console) when I run this piece of code: <a href="javascript:if (document.dc_form.tn.value == ''' && document.dc_form.cid.value == '') { alert('You have not made a selection. Please select one of the fields first.');return false; } document.dc_form.submit();">Go!</a> If I remove the "return false;", it displayes the alert and continues
2
2378
by: elgin | last post by:
I have a split Access 2003 database. I have signed the database with a Code Signing Certificate from Small Business Server. This works fine and users can have Access macro security on high or medium and do not get prompted at startup. The problem comes because there are two of us modifying the code. Whenever either one of us changes the code, one of us must resign both the front and back end of the database. If we forget to sign both, we...
13
7832
by: Steve | last post by:
On page 392 of "Javascript the definitive guide" a function is called like this:- <form action="processform.cgi" onsubmit="return validateForm();"> Why, in this instance, is the return statement used in calling the function validateForm rather than being included inside the function? Thanks in advance,
0
9715
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
10945
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10614
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10674
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10317
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9454
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7859
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5886
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
3
3146
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.