SNI support in python 2.7 for Locust load tests

Wed Oct 1 07:30:14 EDT 2014

Hi,

> > Reddy  writes:
> > > ...
> > > I'm trying to use locust (http://locust.io/) to run load test of one site we're developing. Everything was running nice and smooth until we switch the servers to use SNI. SNI is not officially supported in python 2.7.5
> 
> > you have two options:
> > 
> > Python 2.7.9 implements PEP 466 "Network Security Enhancements for
> > Python 2.7.x" including TLS 1.1, 1.2 and SNI support. 2.7.9 will be
> > released shortly. You could try the 2.7 branch from hg.python.org.
> > 
> > Use PyOpenSSL instead of Python's ssl module. It supports SNI, too.
> 
> > A recent post in this list regarding missing SNI support in Python 2.x
> > got as a suggestion to use the "backports.ssl" package on PyPI.
> 
> Thanks Christian and Dieter for your prompt responses!
> I tried yesterday with Python built from https://hg.python.org/cpython/archive/9b4673d7b046.tar.gz. I also do use pyOpenSSL as described at http://stackoverflow.com/a/19477363 so I used pip to install pyOpenSSL, ndg-httpsclient and pyasn1 as well as patched locust startup file with the following:
> 
> from urllib3.contrib import pyopenssl
> pyopenssl.inject_into_urllib3()
> 
> I also tried adding the following:
> from functools import partial
> ssl.wrap_socket = partial(ssl.wrap_socket, ssl_version=ssl.PROTOCOL_TLSv1)
> 
> Finally, I've just tried with:
> /usr/local/bin/pip2.7 install backports.ssl
> 
> and patching the lucust file with:
> 
> import backports.ssl as ssl
> import backports.ssl.monkey as monkey
> import requests
> monkey.patch()
> 
> I've also added verify=False to my locust test scripts to disable certificate verification according to http://docs.locust.io/en/latest/api.html
> 
> ...And I still get exactly the same error:
> 
> [2014-09-30 14:19:41,793] ip-x-x-x-x/ERROR/stderr: File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 977, in sendall
> [2014-09-30 14:19:41,793] ip-x-x-x-x/ERROR/stderr: File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 849, in _raise_ssl_error
> [2014-09-30 14:19:41,794] ip-x-x-x-x/ERROR/stderr: OpenSSL.SSL
> [2014-09-30 14:19:41,794] ip-x-x-x-x/ERROR/stderr: .
> [2014-09-30 14:19:41,794] ip-x-x-x-x/ERROR/stderr: WantWriteError
> 
> Now I'm starting to think it's something else than SNI, but all those scripts were working nice before and the only change done was turning on the SNI on tested servers... 
> 
> Any idea what my actually cause this WantWriteError?
> -- 

I think I have a clue what's wrong. By default using:
/usr/local/bin/pip2.7 install pyOpenSSL ndg-httpsclient pyasn1
gives me pyOpenSSL version 0.14. When I downgrade it to 0.13 with
/usr/local/bin/pip2.7 install pyOpenSSL==0.13
everything works nice and smooth. Interestingly, on my local Ubuntu I do have 0.14 version of that package and it works well there...
I noticed that dowgrading it to 0.13 buids 'OpenSSL.crypto' extension and that does not happen when installing v. 0.14 so I guess there's simply a connection to openssl missing somehow there in 0.14. According to https://github.com/pyca/pyopenssl/releases there was a big change there:
"Second, pyOpenSSL is no longer implemented in C as a collection of extension modules using the Python/C API. Instead, pyOpenSSL is now a pure-Python project with a dependency on a new project, http://github.com/pyca/cryptography, which provides (among other things) a cffi-based interface to OpenSSL."
but I also have the most recent version of cryptography (0.6) installed there. And again - it works on local Ubuntu. Weird.

I guess I'll just stick to pyOpenSSL==0.13 for the time being, unless somebody gives me a hint what I'm doing wrong with 0.14 :)

Br,
Reddy