Comments (4)
alex
commented on June 3, 2024
To ask a maybe obvious question: Do your tests do TLS over a pipe?
…On Wed, Feb 22, 2023 at 4:17 PM Shane Harvey ***@***.***> wrote:
In pymongo we have various tests to ensure that TLS is configured
correctly. One such test is when the server is configured to require a
client cert but the client does not present one. In this test we expect the
client to see an error with "certificate required", "SSL handshake failed",
"Connection reset by peer", or one of the equivalent errnos (like
ECONNRESET) but we're actually seeing pyopenssl raise (32, 'EPIPE') on
macOS (in https://jira.mongodb.org/browse/PYTHON-3607). My understanding
is that EPIPE indicates a bug in openssl/pyopenssl, what do you think?
Here's more info about the environment:
Collecting cryptography>=2
Using cached cryptography-39.0.1-cp36-abi3-macosx_10_12_x86_64.whl (2.9 MB)
....
Collecting dnspython<3.0.0,>=1.16.0
Using cached dnspython-2.3.0-py3-none-any.whl (283 kB)
Collecting pymongo-auth-aws<2.0.0
Using cached pymongo_auth_aws-1.1.0-py2.py3-none-any.whl (11 kB)
Collecting pyopenssl>=17.2.0
Using cached pyOpenSSL-23.0.0-py3-none-any.whl (57 kB)
Requirement already satisfied: requests<3.0.0 in ./venv-encryption/lib/python3.9/site-packages (from pymongo==4.4.0.dev1) (2.28.2)
Collecting service_identity>=18.1.0
Using cached service_identity-21.1.0-py2.py3-none-any.whl (12 kB)
Requirement already satisfied: certifi in ./venv-encryption/lib/python3.9/site-packages (from pymongo==4.4.0.dev1) (2022.12.7)
Requirement already satisfied: boto3 in ./venv-encryption/lib/python3.9/site-packages (from pymongo-auth-aws<2.0.0->pymongo==4.4.0.dev1) (1.26.73)
Requirement already satisfied: botocore in ./venv-encryption/lib/python3.9/site-packages (from pymongo-auth-aws<2.0.0->pymongo==4.4.0.dev1) (1.29.73)
Requirement already satisfied: cryptography<40,>=38.0.0 in ./venv-encryption/lib/python3.9/site-packages (from pyopenssl>=17.2.0->pymongo==4.4.0.dev1) (39.0.1)
Requirement already satisfied: idna<4,>=2.5 in ./venv-encryption/lib/python3.9/site-packages (from requests<3.0.0->pymongo==4.4.0.dev1) (3.4)
Requirement already satisfied: urllib3<1.27,>=1.21.1 in ./venv-encryption/lib/python3.9/site-packages (from requests<3.0.0->pymongo==4.4.0.dev1) (1.26.14)
Requirement already satisfied: charset-normalizer<4,>=2 in ./venv-encryption/lib/python3.9/site-packages (from requests<3.0.0->pymongo==4.4.0.dev1) (3.0.1)
Collecting pyasn1-modules
Using cached pyasn1_modules-0.2.8-py2.py3-none-any.whl (155 kB)
Collecting attrs>=19.1.0
Using cached attrs-22.2.0-py3-none-any.whl (60 kB)
Requirement already satisfied: six in ./venv-encryption/lib/python3.9/site-packages (from service_identity>=18.1.0->pymongo==4.4.0.dev1) (1.16.0)
Collecting pyasn1
Using cached pyasn1-0.4.8-py2.py3-none-any.whl (77 kB)
Requirement already satisfied: cffi>=1.12 in ./venv-encryption/lib/python3.9/site-packages (from cryptography<40,>=38.0.0->pyopenssl>=17.2.0->pymongo==4.4.0.dev1) (1.15.1)
Requirement already satisfied: jmespath<2.0.0,>=0.7.1 in ./venv-encryption/lib/python3.9/site-packages (from boto3->pymongo-auth-aws<2.0.0->pymongo==4.4.0.dev1) (1.0.1)
Requirement already satisfied: s3transfer<0.7.0,>=0.6.0 in ./venv-encryption/lib/python3.9/site-packages (from boto3->pymongo-auth-aws<2.0.0->pymongo==4.4.0.dev1) (0.6.0)
Requirement already satisfied: python-dateutil<3.0.0,>=2.1 in ./venv-encryption/lib/python3.9/site-packages (from botocore->pymongo-auth-aws<2.0.0->pymongo==4.4.0.dev1) (2.8.2)
Requirement already satisfied: pycparser in ./venv-encryption/lib/python3.9/site-packages (from cffi>=1.12->cryptography<40,>=38.0.0->pyopenssl>=17.2.0->pymongo==4.4.0.dev1) (2.21)
Building wheels for collected packages: pymongo
Building wheel for pymongo (setup.py): started
Building wheel for pymongo (setup.py): finished with status 'done'
Created wheel for pymongo: filename=pymongo-4.4.0.dev1-cp39-cp39-macosx_11_0_x86_64.whl size=385239 sha256=6907c24d0b03797d5cbe1245fb6ac1bc786e92b4e0a40c82c029112bc9ef858f
Stored in directory: /System/Volumes/Data/data/mci/4527dad69325df5546afe7b616b18d7d/drivers-tools/.evergreen/orchestration/db/pip-ephem-wheel-cache-ldh4fy0r/wheels/39/f3/d9/27a37bbf2df83660f5cbf8bae4a0c81495ac5a49e4975b8ea9
Successfully built pymongo
Installing collected packages: pyasn1, pyasn1-modules, dnspython, attrs, pymongo, service_identity, pyopenssl, pymongo-auth-aws
Successfully installed attrs-22.2.0 dnspython-2.3.0 pyasn1-0.4.8 pyasn1-modules-0.2.8 pymongo-4.4.0.dev1 pymongo-auth-aws-1.1.0 pyopenssl-23.0.0 service_identity-21.1.0
Python version:
3.9.10 (main, Jan 15 2022, 11:48:00)
[Clang 13.0.0 (clang-1300.0.29.3)]
macOS 11
—
Reply to this email directly, view it on GitHub
<#1189>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAAGBHFRSJYOFGNKX2QVTLWYZ65RANCNFSM6AAAAAAVE2XUK4>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
--
All that is necessary for evil to succeed is for good people to do nothing.
from pyopenssl.
ShaneHarvey
commented on June 3, 2024
No pipes, just standard tcp sockets. I actually just remembered that we're using pykmip in these tests and these errors might be caused by it's funky use of shutdown() which I'm trying to fix in: OpenKMIP/PyKMIP#682
It would be possible to confirm that theory by testing the "server requires certs but the client does not present one" case using only pyopenssl.
from pyopenssl.
ShaneHarvey
commented on June 3, 2024
Update, I just tested two scenarios:
- A MongoDB server (running locally on macOS) configured to require client certs.
- A PyKMIP server configured to require client certs with and without the fix for OpenKMIP/PyKMIP#682.
In 1) I correctly see this error:
>>> Traceback (most recent call last):
File "/Users/shane/git/mongo-python-driver/pymongo/pool.py", line 1061, in _configured_socket
sock = ssl_context.wrap_socket(sock, server_hostname=host)
File "/Users/shane/git/mongo-python-driver/pymongo/pyopenssl_context.py", line 369, in wrap_socket
ssl_conn.do_handshake()
File "/Users/shane/git/mongo-python-driver/pymongo/pyopenssl_context.py", line 125, in do_handshake
return self._call(super(_sslConn, self).do_handshake, *args, **kwargs)
File "/Users/shane/git/mongo-python-driver/pymongo/pyopenssl_context.py", line 108, in _call
return call(*args, **kwargs)
File "/Users/shane/work/pycharm/pymongo-py310/lib/python3.10/site-packages/OpenSSL/SSL.py", line 2075, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/Users/shane/work/pycharm/pymongo-py310/lib/python3.10/site-packages/OpenSSL/SSL.py", line 1715, in _raise_ssl_error
_openssl_assert(
File "/Users/shane/work/pycharm/pymongo-py310/lib/python3.10/site-packages/OpenSSL/_util.py", line 71, in openssl_assert
exception_from_error_queue(error)
File "/Users/shane/work/pycharm/pymongo-py310/lib/python3.10/site-packages/OpenSSL/_util.py", line 57, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('STORE routines', '', 'unregistered scheme'), ('system library', '', ''), ('STORE routines', '', 'unregistered scheme'), ('system library', '', ''), ('SSL routines', '', 'certificate verify failed')]In 2) I see EPIPE:
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 726, in create_data_key
return self._encryption.create_data_key(
File "/Users/shane/work/pycharm/pymongo-py310/lib/python3.10/site-packages/pymongocrypt/explicit_encrypter.py", line 174, in create_data_key
key = run_state_machine(ctx, self.callback)
File "/Users/shane/work/pycharm/pymongo-py310/lib/python3.10/site-packages/pymongocrypt/state_machine.py", line 150, in run_state_machine
callback.kms_request(kms_ctx)
File "/Users/shane/git/mongo-python-driver/pymongo/encryption.py", line 143, in kms_request
conn.sendall(message)
File "/Users/shane/git/mongo-python-driver/pymongo/pyopenssl_context.py", line 151, in sendall
sent = self._call(super(_sslConn, self).send, view[total_sent:], flags)
File "/Users/shane/git/mongo-python-driver/pymongo/pyopenssl_context.py", line 108, in _call
return call(*args, **kwargs)
File "/Users/shane/work/pycharm/pymongo-py310/lib/python3.10/site-packages/OpenSSL/SSL.py", line 1899, in send
self._raise_ssl_error(self._ssl, result)
File "/Users/shane/work/pycharm/pymongo-py310/lib/python3.10/site-packages/OpenSSL/SSL.py", line 1699, in _raise_ssl_error
raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (32, 'EPIPE')Interestingly, from this trace I can see that the client thinks the TLS handshake completed successfully (do_handshake() completes without error) but then the connection raises EPIPE on the first send() of application data.
The kmip server is here https://github.com/mongodb-labs/drivers-evergreen-tools/blob/62f34e8/.evergreen/csfle/kms_http_server.py#L231:
$ bash
$ git clone [email protected]:mongodb-labs/drivers-evergreen-tools.git
$ cd drivers-evergreen-tools/.evergreen/csfle
$ . activate_venv.sh
$ python -u kms_http_server.py --ca_file ../x509gen/ca.pem --cert_file ../x509gen/server.pem --port 8002 --require_client_cert
Mock KMS Web Server Listening on port 8002
from pyopenssl.
ShaneHarvey
commented on June 3, 2024
There's some work I could do here to try and create a minimal repro but I won't have time for a while. In the meantime, any theories would be appreciated!
from pyopenssl.
Related Issues (20)
- Selection of PKCS12 MAC algorithm HOT 1
- MemoryError: Cannot allocate write+execute memory for ffi.callback() in ASLR enabled machine - FreeBSD HOT 2
- Latest version of the pyopenssl library giving following error HOT 16
- Implement PyOpenSSL deprecated functions as calls into Cryptography library HOT 3
- Use SSL_session_reused API HOT 1
- RemoveError: 'pyopenssl' is a dependency of conda and cannot be removed from conda's operating environment. HOT 2
- Add support for retrieving negotiated SRTP profile HOT 4
- pyopenssl-23.3.0 is incompatible with the latest cryptography 42.0.0
- [docs] Use Furo?
- TLS 1.3 Session Resumption with PSKs in pyopenssl? HOT 1
- RFE: is it possible to start making github releases?🤔 HOT 2
- Support for `cryptography.X509.Extensions` in `pyopenssl.X509.add_extensions` etc? HOT 2
- 24.1.0: pytest fails in 3 units and some pytest warnings HOT 12
- 24.1.0: sphinx warnings `reference target not found` HOT 1
- CVE-2023-6129 Safety vulnerability HOT 1
- Some X509 Tests fail on v24.1.0 HOT 1
- Add SSL_OP_CLEANSE_PLAINTEXT to exported set of options
- Use of a Broken or Risky Cryptographic Algorithm [Snyk Vulnerability] HOT 1
- expose `SSL_set_info_callback` (i.e. `Connection.set_info_callback`)
- X.509Name.get_components() doesn't process Subject values like X.509Name.__getattr__() does with Unicode strings. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pyopenssl.