From jmeile at HOTMAIL.COM Thu Sep 8 16:27:22 2005 From: jmeile at HOTMAIL.COM (Josef Meile) Date: Thu, 8 Sep 2005 16:27:22 +0200 Subject: [PYTHON-CRYPTO] m2crypto 0.13 doesn't works with python 2.1.3 Message-ID: Hi, when installing m2crypto 0.13 in python 2.1.3, the tests failed with the following error: ImportError: /usr/local/Python-2.1.3/lib/python2.1/site- packages/M2Crypto/__m2crypto.so: undefined symbol: PyString_FromFormat I searched in google and found that PyString_FromFormat was introduced in 2.2, so, the prerequisites are wrong: m2crypto doesn't supports python 2.1.3. I really need to install it because I'm using zope 2.6.4rc2, which depends on python 2.1.3. Where can I find the latest m2crypto version compatible with this python version? Regards, Josef Meile From heikki at OSAFOUNDATION.ORG Thu Sep 8 20:50:58 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Thu, 8 Sep 2005 11:50:58 -0700 Subject: [PYTHON-CRYPTO] m2crypto 0.13 doesn't works with python 2.1.3 In-Reply-To: References: Message-ID: <43208812.3000801@osafoundation.org> Josef Meile wrote: > when installing m2crypto 0.13 in python 2.1.3, the tests failed with the > following error: You are the first person to request support for such an old Python version. I posted a question about required Python versions back in May 2005 and only got responses that stated 2.3 and newer would be fine. I did file your request as https://bugzilla.osafoundation.org/show_bug.cgi?id=3953 but I don't think I'll get to it unless there is more demand for it. I do accept patches that don't break compatibility, though. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 253 bytes Desc: OpenPGP digital signature URL: From pycry at DOLI.BIZ Thu Sep 8 23:08:03 2005 From: pycry at DOLI.BIZ (Michael Vartanyan) Date: Thu, 8 Sep 2005 23:08:03 +0200 Subject: [PYTHON-CRYPTO] CPU 99% + bad write retry - once again Message-ID: <4320A833.7010607@doli.biz> I am using 0.15 from svn with Zope 2.7.6. I used Zope 2.7 installation instructions from 0.13 with a small compatibility patch in datatypes.py. Client authentication is on. Generally it works fine but every once in a while, especially when serving longer pages/content (in particular PDF) the CPU load goes up to 99% for ~a minute and then request fails leaving "xxx requests: bad write retry". I applied the fix Ng was talking about here http://sandbox.rulemaker.net/ngps/199 and here https://listserv.surfnet.nl/scripts/wa.exe?A2=ind0501&L=PYTHON-CRYPTO&P=R1100&I=-3 without success. Any ideas? ... would be actually very cool to have Zope 2.7 installation package back in the distribution... Thanks! From edhotchkiss at GMAIL.COM Fri Sep 16 05:58:28 2005 From: edhotchkiss at GMAIL.COM (Ed Hotchkiss) Date: Thu, 15 Sep 2005 23:58:28 -0400 Subject: [PYTHON-CRYPTO] downloading pycrpyto Message-ID: When I try and download pycrypto off of the website, the file downloads fine, but it is only 150k and will not open with any application, i get an error. The file size listed is 164k. anyone have an idea or the actual file? thanks alot ... -- edward hotchkiss -------------- next part -------------- An HTML attachment was scrubbed... URL: From rune.froysa at USIT.UIO.NO Fri Sep 16 13:12:12 2005 From: rune.froysa at USIT.UIO.NO (Rune Froysa) Date: Fri, 16 Sep 2005 13:12:12 +0200 Subject: [PYTHON-CRYPTO] m2crypto blocking all other threads Message-ID: I'm using m2crypto for a SSL-based xmlrpc service. This service is frequently DOSed by what appears to be a bug in m2crypto: it blocks all other threads at various points. I've attached a small program that shows this behaviour. Start the server. It will keep printing "test" from a separate thread. Now, telnet to the 9443 port and do nothing. You'll notice that after the "LOOP: SSL accept: before/accept initialization" message, no more "test" messages are printed. The server will not respond to any new connections until this connection has done something. This has been verified with v 0.07, 0.09, 0.13, 0.15. At some points we experience processes that according to strace is waiting for a read on a remote socket, while a check on the remote host reveals that no process is talking on that socket anymore. I'm not sure if that is related. #!/usr/bin/env python import sys, time, threading demo_dir='/tmp/m2crypto-0.15/demo/ssl' sys.path.insert(0, demo_dir) from https_srv import * def my_wt(): while True: time.sleep(0.5) print "test" if __name__ == '__main__': threading.Thread(target=my_wt).start() ctx = init_context('sslv23', '%s/server.pem' % demo_dir, '%s/ca.pem' % demo_dir, SSL.verify_none) httpsd = HTTPS_Server(('', 9443), HTTP_Handler, ctx) httpsd.serve_forever() BTW: under 0.15, the https_srv.py complains from line 126 -> SSL/Context.py: 118: TypeError: ssl_ctx_load_verify_locations() argument 3 must be string, not None -- Rune Fr?ysa From edhotchkiss at GMAIL.COM Sun Sep 18 22:35:02 2005 From: edhotchkiss at GMAIL.COM (Ed Hotchkiss) Date: Sun, 18 Sep 2005 16:35:02 -0400 Subject: [PYTHON-CRYPTO] Best Encryption for Python Client/Server Message-ID: Let us say that I am trying to create a very small and simple private network/connection between several scripts on different machines, to communicate instructions/data/files etc. to each other over the net. Is SSL the best method? Any recommendations of something to get started with? Thanks in advance. -- Edward hotchkiss -------------- next part -------------- An HTML attachment was scrubbed... URL: From heikki at OSAFOUNDATION.ORG Thu Sep 22 06:51:43 2005 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Wed, 21 Sep 2005 21:51:43 -0700 Subject: [PYTHON-CRYPTO] m2crypto blocking all other threads In-Reply-To: References: Message-ID: <4332385F.7090500@osafoundation.org> Rune Froysa wrote: > I'm using m2crypto for a SSL-based xmlrpc service. This service is > frequently DOSed by what appears to be a bug in m2crypto: it blocks It seems like this is user error. In a multithreaded application you need to initialize M2Crypto for threading. With those changes your sample works for me. See below: > #!/usr/bin/env python > import sys, time, threading from M2Crypto import threading as m2threading > demo_dir='/tmp/m2crypto-0.15/demo/ssl' > sys.path.insert(0, demo_dir) > > from https_srv import * > > def my_wt(): > while True: > time.sleep(0.5) > print "test" > > if __name__ == '__main__': m2threading.init() > threading.Thread(target=my_wt).start() > ctx = init_context('sslv23', '%s/server.pem' % demo_dir, '%s/ca.pem' % demo_dir, > SSL.verify_none) > httpsd = HTTPS_Server(('', 9443), HTTP_Handler, ctx) > httpsd.serve_forever() m2threading.cleanup() > BTW: under 0.15, the https_srv.py complains from line 126 -> SSL/Context.py: 118: > TypeError: ssl_ctx_load_verify_locations() argument 3 must be string, not None This does not happen for me. Please note that I did find a bug in Connection.py regarding handling of post connection checks and just fixed them. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 253 bytes Desc: OpenPGP digital signature URL: From edhotchkiss at GMAIL.COM Thu Sep 22 08:33:25 2005 From: edhotchkiss at GMAIL.COM (Ed Hotchkiss) Date: Thu, 22 Sep 2005 02:33:25 -0400 Subject: [PYTHON-CRYPTO] strongest encryption for pycrypto? Message-ID: which supported algorith for pycrypto is the safest/strongest? thanks in advance. -- edward hotchkiss -------------- next part -------------- An HTML attachment was scrubbed... URL: From rune.froysa at USIT.UIO.NO Fri Sep 23 11:22:48 2005 From: rune.froysa at USIT.UIO.NO (Rune Froysa) Date: Fri, 23 Sep 2005 11:22:48 +0200 Subject: [PYTHON-CRYPTO] m2crypto blocking all other threads In-Reply-To: <4332385F.7090500@osafoundation.org> References: <4332385F.7090500@osafoundation.org> Message-ID: Heikki Toivonen writes: > Rune Froysa wrote: > > I'm using m2crypto for a SSL-based xmlrpc service. This service is > > frequently DOSed by what appears to be a bug in m2crypto: it blocks > > It seems like this is user error. In a multithreaded application you > need to initialize M2Crypto for threading. With those changes your > sample works for me. See below: Sorry about that. Is this documented some place? For some reason, demo/ssl/https_srv.py works without it (two "openssl s_client -connect localhost:19443" can connect simultaneously without problems). However, a "telnet localhost 19443"+ first will prevent any later s_clients from reaching past the "CONNECTED(00000003)" state. The threading.init() trick seems to work for my previous example, but if I add a threading.init() to line 135 (first in __main__) of demo/ssl/https_srv.py, i get a segfault when a client connects (python 2.3.4) (It works if I actually have created a separate thread): Starting program: /usr/bin/python https_srv.py [Thread debugging using libthread_db enabled] [New Thread -1208785216 (LWP 12122)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread -1208785216 (LWP 12122)] 0x00dbdb4a in sem_post at GLIBC_2.0 () from /lib/tls/libpthread.so.0 (gdb) where #0 0x00dbdb4a in sem_post at GLIBC_2.0 () from /lib/tls/libpthread.so.0 #1 0x080cf636 in PyThread_release_lock (lock=0x0) at Python/thread_pthread.h:431 #2 0x080ca519 in PyGILState_Release (oldstate=3080343864) at Python/pystate.c:473 #3 0xb7ad39e8 in ssl_info_callback (s=0x81ef058, where=16, ret=1) at SWIG/_m2crypto.c:1058 #4 0x00b251e2 in ssl23_accept () from /lib/libssl.so.4 #5 0x00b2a093 in SSL_accept () from /lib/libssl.so.4 #6 0xb7ad73b3 in ssl_accept (ssl=0x81ef058) at SWIG/_m2crypto.c:3492 #7 0xb7ae2d23 in _wrap_ssl_accept (self=0x0, args=0xb79b310c) at SWIG/_m2crypto.c:11191 #8 0x080ed9b0 in PyCFunction_Call (func=0xb7b2218c, arg=0xb79b310c, kw=0x1) at Objects/methodobject.c:108 #9 0x080a4f67 in call_function (pp_stack=0xbfffee9c, oparg=135426480) at Python/ceval.c:3439 ... > > BTW: under 0.15, the https_srv.py complains from line 126 -> SSL/Context.py: 118: > > TypeError: ssl_ctx_load_verify_locations() argument 3 must be string, not None > > This does not happen for me. Strange. Latest version from svn: /tmp/m2/demo/ssl at dresden >PYTHONPATH=/tmp/m2/build/lib.linux-i686-2.3 python https_srv.py Traceback (most recent call last): File "https_srv.py", line 141, in ? SSL.verify_none) File "https_srv.py", line 126, in init_context ctx.load_verify_info(cafile) File "/tmp/m2/build/lib.linux-i686-2.3/M2Crypto/SSL/Context.py", line 121, in load_verify_locations return m2.ssl_ctx_load_verify_locations(self.ctx, cafile, capath) TypeError: ssl_ctx_load_verify_locations() argument 3 must be string, not None It would be great if there was some way to set a timeout value on connected clients. With the below patch, https_srv.py could instantiate the HTTPS_Server with a default_timeout=SSL.timeout(sec=4) keyword argument to kill misbehaving clients (like the telnet above). Could something like this be considered for future inclusion? (I don't believe there is a standard pythonic way of setting timeout on client sockets): Index: M2Crypto/SSL/SSLServer.py =================================================================== --- M2Crypto/SSL/SSLServer.py (revision 319) +++ M2Crypto/SSL/SSLServer.py (working copy) @@ -12,7 +12,7 @@ class SSLServer(SocketServer.TCPServer): - def __init__(self, server_address, RequestHandlerClass, ssl_context): + def __init__(self, server_address, RequestHandlerClass, ssl_context, default_timeout=None): """ Superclass says: Constructor. May be extended, do not override. This class says: Ho-hum. @@ -21,6 +21,8 @@ self.RequestHandlerClass=RequestHandlerClass self.ssl_ctx=ssl_context self.socket=Connection(self.ssl_ctx) + if default_timeout is not None: + self.socket.set_default_client_timeout(default_timeout) self.server_bind() self.server_activate() Index: M2Crypto/SSL/Connection.py =================================================================== --- M2Crypto/SSL/Connection.py (revision 319) +++ M2Crypto/SSL/Connection.py (working copy) @@ -38,6 +38,7 @@ self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) self._fileno = self.socket.fileno() + self._default_client_timeout = None def __del__(self): if getattr(self, 'sslbio', None): @@ -102,16 +103,27 @@ def accept_ssl(self): return m2.ssl_accept(self.ssl) + def set_default_client_timeout(self, timeout): + self._default_client_timeout = timeout + def accept(self): """Accept an SSL connection. The return value is a pair (ssl, addr) where ssl is a new SSL connection object and addr is the address bound to the the other end of the SSL connection.""" sock, addr = self.socket.accept() + if self._default_client_timeout is not None: + sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVTIMEO, + self._default_client_timeout.pack()) + sock.setsockopt(socket.SOL_SOCKET, socket.SO_SNDTIMEO, + self._default_client_timeout.pack()) + ssl = Connection(self.ctx, sock) ssl.addr = addr ssl.setup_ssl() ssl.set_accept_state() - ssl.accept_ssl() + if ssl.accept_ssl() != 1: + raise SSLError(m2.err_reason_error_string(m2.err_get_error())) + check = getattr(self, 'postConnectionCheck', self.serverPostConnectionCheck) if check is not None: if not check(self.get_peer_cert(), ssl.addr[0]): Regards, Rune Fr?ysa From turam at MCS.ANL.GOV Fri Sep 23 19:29:21 2005 From: turam at MCS.ANL.GOV (Thomas D. Uram) Date: Fri, 23 Sep 2005 12:29:21 -0500 Subject: [PYTHON-CRYPTO] m2crypto blocking all other threads In-Reply-To: References: <4332385F.7090500@osafoundation.org> Message-ID: <43343B71.3070503@mcs.anl.gov> I recall seeing the problem with load_verify_locations when using swig 1.3.21; it was resolved when I switched to swig 1.3.24. There is apparently a difference in the stock typemaps between the two versions. > TypeError: ssl_ctx_load_verify_locations() argument 3 must be string, not None Tom Uram On 9/23/05 4:22 AM, Rune Froysa wrote: > Heikki Toivonen writes: > > >>Rune Froysa wrote: >> >>>I'm using m2crypto for a SSL-based xmlrpc service. This service is >>>frequently DOSed by what appears to be a bug in m2crypto: it blocks >> >>It seems like this is user error. In a multithreaded application you >>need to initialize M2Crypto for threading. With those changes your >>sample works for me. See below: > > > Sorry about that. Is this documented some place? For some reason, > demo/ssl/https_srv.py works without it (two "openssl s_client -connect > localhost:19443" can connect simultaneously without problems). > However, a "telnet localhost 19443"+ first will prevent > any later s_clients from reaching past the "CONNECTED(00000003)" > state. > > The threading.init() trick seems to work for my previous example, but > if I add a threading.init() to line 135 (first in __main__) of > demo/ssl/https_srv.py, i get a segfault when a client connects (python > 2.3.4) (It works if I actually have created a separate thread): > > Starting program: /usr/bin/python https_srv.py > [Thread debugging using libthread_db enabled] > [New Thread -1208785216 (LWP 12122)] > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread -1208785216 (LWP 12122)] > 0x00dbdb4a in sem_post at GLIBC_2.0 () from /lib/tls/libpthread.so.0 > (gdb) where > #0 0x00dbdb4a in sem_post at GLIBC_2.0 () from /lib/tls/libpthread.so.0 > #1 0x080cf636 in PyThread_release_lock (lock=0x0) at Python/thread_pthread.h:431 > #2 0x080ca519 in PyGILState_Release (oldstate=3080343864) at Python/pystate.c:473 > #3 0xb7ad39e8 in ssl_info_callback (s=0x81ef058, where=16, ret=1) at SWIG/_m2crypto.c:1058 > #4 0x00b251e2 in ssl23_accept () from /lib/libssl.so.4 > #5 0x00b2a093 in SSL_accept () from /lib/libssl.so.4 > #6 0xb7ad73b3 in ssl_accept (ssl=0x81ef058) at SWIG/_m2crypto.c:3492 > #7 0xb7ae2d23 in _wrap_ssl_accept (self=0x0, args=0xb79b310c) at SWIG/_m2crypto.c:11191 > #8 0x080ed9b0 in PyCFunction_Call (func=0xb7b2218c, arg=0xb79b310c, kw=0x1) at Objects/methodobject.c:108 > #9 0x080a4f67 in call_function (pp_stack=0xbfffee9c, oparg=135426480) at Python/ceval.c:3439 > ... > > >>>BTW: under 0.15, the https_srv.py complains from line 126 -> SSL/Context.py: 118: >>>TypeError: ssl_ctx_load_verify_locations() argument 3 must be string, not None >> >>This does not happen for me. > > > Strange. Latest version from svn: > > /tmp/m2/demo/ssl at dresden >PYTHONPATH=/tmp/m2/build/lib.linux-i686-2.3 python https_srv.py > Traceback (most recent call last): > File "https_srv.py", line 141, in ? > SSL.verify_none) > File "https_srv.py", line 126, in init_context > ctx.load_verify_info(cafile) > File "/tmp/m2/build/lib.linux-i686-2.3/M2Crypto/SSL/Context.py", line 121, in load_verify_locations > return m2.ssl_ctx_load_verify_locations(self.ctx, cafile, capath) > TypeError: ssl_ctx_load_verify_locations() argument 3 must be string, not None > > It would be great if there was some way to set a timeout value on > connected clients. With the below patch, https_srv.py could > instantiate the HTTPS_Server with a default_timeout=SSL.timeout(sec=4) > keyword argument to kill misbehaving clients (like the telnet above). > Could something like this be considered for future inclusion? (I don't > believe there is a standard pythonic way of setting timeout on client > sockets): > > Index: M2Crypto/SSL/SSLServer.py > =================================================================== > --- M2Crypto/SSL/SSLServer.py (revision 319) > +++ M2Crypto/SSL/SSLServer.py (working copy) > @@ -12,7 +12,7 @@ > > > class SSLServer(SocketServer.TCPServer): > - def __init__(self, server_address, RequestHandlerClass, ssl_context): > + def __init__(self, server_address, RequestHandlerClass, ssl_context, default_timeout=None): > """ > Superclass says: Constructor. May be extended, do not override. > This class says: Ho-hum. > @@ -21,6 +21,8 @@ > self.RequestHandlerClass=RequestHandlerClass > self.ssl_ctx=ssl_context > self.socket=Connection(self.ssl_ctx) > + if default_timeout is not None: > + self.socket.set_default_client_timeout(default_timeout) > self.server_bind() > self.server_activate() > > Index: M2Crypto/SSL/Connection.py > =================================================================== > --- M2Crypto/SSL/Connection.py (revision 319) > +++ M2Crypto/SSL/Connection.py (working copy) > @@ -38,6 +38,7 @@ > self.socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) > self.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) > self._fileno = self.socket.fileno() > + self._default_client_timeout = None > > def __del__(self): > if getattr(self, 'sslbio', None): > @@ -102,16 +103,27 @@ > def accept_ssl(self): > return m2.ssl_accept(self.ssl) > > + def set_default_client_timeout(self, timeout): > + self._default_client_timeout = timeout > + > def accept(self): > """Accept an SSL connection. The return value is a pair (ssl, addr) where > ssl is a new SSL connection object and addr is the address bound to the > the other end of the SSL connection.""" > sock, addr = self.socket.accept() > + if self._default_client_timeout is not None: > + sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVTIMEO, > + self._default_client_timeout.pack()) > + sock.setsockopt(socket.SOL_SOCKET, socket.SO_SNDTIMEO, > + self._default_client_timeout.pack()) > + > ssl = Connection(self.ctx, sock) > ssl.addr = addr > ssl.setup_ssl() > ssl.set_accept_state() > - ssl.accept_ssl() > + if ssl.accept_ssl() != 1: > + raise SSLError(m2.err_reason_error_string(m2.err_get_error())) > + > check = getattr(self, 'postConnectionCheck', self.serverPostConnectionCheck) > if check is not None: > if not check(self.get_peer_cert(), ssl.addr[0]): > > > Regards, > Rune Fr?ysa > >