From eliaskremer7 at gmail.com  Sun Jan  2 14:31:30 2022
From: eliaskremer7 at gmail.com (Elias Kremer)
Date: Sun, 2 Jan 2022 20:31:30 +0100
Subject: [Cryptography-dev] OpenSSL.SSL.Error 4067
Message-ID: <CAAgF_u_RnSHzF1m-3GpT-o9KPRwwJ5ZQjxUbrXdcfiRedhAh0Q@mail.gmail.com>

Good evening,
I just ran into an error i'm unable to resolve and i couldn't find any help
online:

I work with the python ssl library, and my code throws an ssl.SSLError
"[SSL] PEM lib* (_ssl.c:4067)*".
The documentation of the ssl library (
https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain)
says that the highlighted error code comes from the OpenSSL library.
But I can't find any reference to the error code 4067, the closest I could
get was this:
https://www.pyopenssl.org/en/stable/api/ssl.html?#OpenSSL.SSL.Error but
this site basically just says that the error exists and points to "err(3)"
which I could't retrieve on the site.

I'd really appreciate any help since I have no idea how to solve this issue.
Best regards,
Elias Kremer

<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virenfrei.
www.avast.com
<https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20220102/bc75a495/attachment.html>

From paul.l.kehrer at gmail.com  Sun Jan  2 14:40:43 2022
From: paul.l.kehrer at gmail.com (Paul Kehrer)
Date: Sun, 2 Jan 2022 13:40:43 -0600
Subject: [Cryptography-dev] OpenSSL.SSL.Error 4067
In-Reply-To: <CAAgF_u_RnSHzF1m-3GpT-o9KPRwwJ5ZQjxUbrXdcfiRedhAh0Q@mail.gmail.com>
References: <CAAgF_u_RnSHzF1m-3GpT-o9KPRwwJ5ZQjxUbrXdcfiRedhAh0Q@mail.gmail.com>
Message-ID: <CABj5TKQneZBoSp3WHtt2pzFauYV0VOAX0Z0r3gtr9+cJymSJOw@mail.gmail.com>

This is a mailing list about a specific Python cryptography project
(pyca/cryptography) and sometimes more generally all projects under the
pyca umbrella, but it is not a general list. Since your problem is actually
with stdlib ssl we're not really the appropriate venue for trying to debug
this. That said, the 4067 you're seeing is the line number from _ssl.c, a
file in the CPython source code. You can see the current master version of
that here (https://github.com/python/cpython/blob/main/Modules/_ssl.c#L4067)
but you'll want to be sure you actually look at the correct release since
_ssl.c changes a bit in each version.

-Paul Kehrer (reaperhulk)

On Sun, Jan 2, 2022 at 1:36 PM Elias Kremer <eliaskremer7 at gmail.com> wrote:

> Good evening,
> I just ran into an error i'm unable to resolve and i couldn't find any
> help online:
>
> I work with the python ssl library, and my code throws an ssl.SSLError
> "[SSL] PEM lib* (_ssl.c:4067)*".
> The documentation of the ssl library (
> https://docs.python.org/3/library/ssl.html#ssl.SSLContext.load_cert_chain)
> says that the highlighted error code comes from the OpenSSL library.
> But I can't find any reference to the error code 4067, the closest I could
> get was this:
> https://www.pyopenssl.org/en/stable/api/ssl.html?#OpenSSL.SSL.Error but
> this site basically just says that the error exists and points to "err(3)"
> which I could't retrieve on the site.
>
> I'd really appreciate any help since I have no idea how to solve this
> issue.
> Best regards,
> Elias Kremer
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail> Virenfrei.
> www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#m_-3441828664443847941_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20220102/52ac7db9/attachment.html>

From etsang at splunk.com  Fri Jan  7 13:13:08 2022
From: etsang at splunk.com (Edward Tsang)
Date: Fri, 7 Jan 2022 10:13:08 -0800
Subject: [Cryptography-dev] Possible to customize how python handle ssl
 verify callback?
Message-ID: <CACrfNRFGT+bRfKz36-m0dHYA5ohB5K9f+Ptj571qy7-CFhq0cg@mail.gmail.com>

Is it possible to change the behavior of how standard python verifies X509
certificates? The background is that  I want to filter, ignore and log some
of the  X509 certificate validation errors. I would like to apply
universally for the Python standard library includes multiple modules that
provide HTTP client functionality, including httplib, urllib, urllib2, and
xmlrpclib. Does the python  offers a way for user to customize certificate
verification behavior? Anyone can point out how to do this or link to any
project that is doing that?

As per openssl doc, we can do that
https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
we can customize how certificate verify callback with this

void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
                                   X509_STORE_CTX_verify_cb verify_cb);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20220107/5700846f/attachment.html>

From alex.gaynor at gmail.com  Fri Jan  7 13:17:46 2022
From: alex.gaynor at gmail.com (Alex Gaynor)
Date: Fri, 7 Jan 2022 13:17:46 -0500
Subject: [Cryptography-dev] Possible to customize how python handle ssl
 verify callback?
In-Reply-To: <CACrfNRFGT+bRfKz36-m0dHYA5ohB5K9f+Ptj571qy7-CFhq0cg@mail.gmail.com>
References: <CACrfNRFGT+bRfKz36-m0dHYA5ohB5K9f+Ptj571qy7-CFhq0cg@mail.gmail.com>
Message-ID: <CAFRnB2XtQxpG+dUiTYXnfwwejYs3QOQ2ZTkWvX=HSTx=Z80OBg@mail.gmail.com>

This mailing list is for dealing with the Python Cryptographic
Authority family of libraries, so we're not really in a position to
provide support for the Python stdlib modules. For that you want
something like https://discuss.python.org/.

That said, if you really this this to apply to _all_ X.509 validation
for TLS connections, your best bet is probably to monkeypatch
https://docs.python.org/3/library/ssl.html#ssl.create_default_context
to return a context with your verify callback.

Alex

On Fri, Jan 7, 2022 at 1:13 PM Edward Tsang via Cryptography-dev
<cryptography-dev at python.org> wrote:
>
> Is it possible to change the behavior of how standard python verifies X509 certificates? The background is that  I want to filter, ignore and log some of the  X509 certificate validation errors. I would like to apply universally for the Python standard library includes multiple modules that provide HTTP client functionality, including httplib, urllib, urllib2, and xmlrpclib. Does the python  offers a way for user to customize certificate verification behavior? Anyone can point out how to do this or link to any project that is doing that?
>
> As per openssl doc, we can do that
> https://www.openssl.org/docs/man1.1.1/man3/X509_STORE_CTX_verify_cb.html
> we can customize how certificate verify callback with this
>
> void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx,
>                                    X509_STORE_CTX_verify_cb verify_cb);
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev



-- 
All that is necessary for evil to succeed is for good people to do nothing.

From paul.l.kehrer at gmail.com  Wed Jan 19 10:26:04 2022
From: paul.l.kehrer at gmail.com (Paul Kehrer)
Date: Wed, 19 Jan 2022 09:26:04 -0600
Subject: [Cryptography-dev] Deprecating legacy symmetric algorithms
Message-ID: <CABj5TKRvybNsSXRodmrwKOLiasxRt9bV2db6He11xAfuwu8Bsg@mail.gmail.com>

Hi all,

cryptography currently ships numerous legacy symmetric algorithms
that, anecdotally, have very low use. These algorithms have a variety
of security drawbacks when compared to more modern equivalents (namely
AES or ChaCha20) and generally shouldn't be used. We plan to deprecate
them on a long cycle such that users who don't read the mailing list
have a chance to speak up if they have a use case that we should
consider, but we're also reaching out here to solicit opinions.

The algorithms we'd like to deprecate and remove are:
* CAST5
* SEED
* IDEA
* Blowfish

3DES and ARC4 are also legacy (and ARC4 has serious security issues),
but their common use in many scenarios means they will not be
deprecated.

This decision has two primary driving factors: reducing the number of
algorithms that developers need to be aware of to make a reasonable
choice, and lowering our reliance on the "legacy" provider in OpenSSL
3.0.0+ with a goal of eventually removing it entirely.

If you have use cases that require these algorithms please let us know!

-Paul Kehrer (reaperhulk)

From ejanssen at itmatters.nl  Wed Jan 19 11:53:49 2022
From: ejanssen at itmatters.nl (ejanssen at itmatters.nl)
Date: Wed, 19 Jan 2022 17:53:49 +0100
Subject: [Cryptography-dev] cryptography 36.0.1 Fernet example: AES in CBC
 mode UnsupportedAlgorithm
Message-ID: <fe183a660e3470454f659a9550bf7af0@itmatters.nl>

Hi,

This is maybe not a cryptography question but an openssl one, please 
bear with me..

I compiled openssl 1.1.1m myself and installed it next to the existing 
1.0.1t from my distribution (debian 8). I built a Python linking against 
this new openssl.

When I try the example code from the documentation I get 
UnsupportedAlgorithm:

$ python3 -i
Python 3.9.10 (main, Jan 19 2022, 14:33:07)
[GCC 4.9.2] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import cryptography.hazmat.backends.openssl.backend as b

>>> b.openssl_version_text()
'OpenSSL 1.1.1m  14 Dec 2021'

>>> '{:x}'.format(b.openssl_version_number())
'101010df'

>>> from cryptography.fernet import Fernet
>>> key = Fernet.generate_key()
>>> f = Fernet(key)
>>> token = f.encrypt(b"my deep dark secret")
Traceback (most recent call last):

<skipping parts>

     raise UnsupportedAlgorithm(msg, _Reasons.UNSUPPORTED_CIPHER)
cryptography.exceptions.UnsupportedAlgorithm: cipher AES in CBC mode is 
not supported by this backend (Your version of OpenSSL may be too old. 
Current version: OpenSSL 1.1.1m  14 Dec 2021.)


However, I can do this on the commandline:

$ openssl version
OpenSSL 1.1.1m  14 Dec 2021

$ openssl enc -aes128 -base64 -in text.plain -out text.enc
enter aes-128-cbc encryption password:
Verifying - enter aes-128-cbc encryption password:
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.

$ cat text.enc
U2FsdGVkX18dFTIizaI1vyR/zo26kRa6ZusV61GMYZ8=

This didn't work initially, I first had to align openssl.cnf with the 
one from the distribution. But now I would say the openssl itself is 
working.

Why is this not working in the cryptography module? Or/and, what would 
be the best next step to analyse?


Thanks!

Erik

From ejanssen at itmatters.nl  Wed Jan 19 13:23:03 2022
From: ejanssen at itmatters.nl (ejanssen at itmatters.nl)
Date: Wed, 19 Jan 2022 19:23:03 +0100
Subject: [Cryptography-dev] cryptography 36.0.1 Fernet example: AES in
 CBC mode UnsupportedAlgorithm
In-Reply-To: <fe183a660e3470454f659a9550bf7af0@itmatters.nl>
References: <fe183a660e3470454f659a9550bf7af0@itmatters.nl>
Message-ID: <73069c97a3b675a4c534a09102295677@itmatters.nl>

Hi,

Fixed it. Found with strace that the old lib got loaded as well
Made a static wheel as explained in 
https://cryptography.io/en/latest/installation/
Now it works

Erik


ejanssen at itmatters.nl schreef op 2022-01-19 17:53:
> Hi,
> 
> This is maybe not a cryptography question but an openssl one, please
> bear with me..
> 
> I compiled openssl 1.1.1m myself and installed it next to the existing
> 1.0.1t from my distribution (debian 8). I built a Python linking
> against this new openssl.
> 
> When I try the example code from the documentation I get 
> UnsupportedAlgorithm:
> 
> $ python3 -i
> Python 3.9.10 (main, Jan 19 2022, 14:33:07)
> [GCC 4.9.2] on linux
> Type "help", "copyright", "credits" or "license" for more information.
>>>> import cryptography.hazmat.backends.openssl.backend as b
> 
>>>> b.openssl_version_text()
> 'OpenSSL 1.1.1m  14 Dec 2021'
> 
>>>> '{:x}'.format(b.openssl_version_number())
> '101010df'
> 
>>>> from cryptography.fernet import Fernet
>>>> key = Fernet.generate_key()
>>>> f = Fernet(key)
>>>> token = f.encrypt(b"my deep dark secret")
> Traceback (most recent call last):
> 
> <skipping parts>
> 
>     raise UnsupportedAlgorithm(msg, _Reasons.UNSUPPORTED_CIPHER)
> cryptography.exceptions.UnsupportedAlgorithm: cipher AES in CBC mode
> is not supported by this backend (Your version of OpenSSL may be too
> old. Current version: OpenSSL 1.1.1m  14 Dec 2021.)
> 
> 
> However, I can do this on the commandline:
> 
> $ openssl version
> OpenSSL 1.1.1m  14 Dec 2021
> 
> $ openssl enc -aes128 -base64 -in text.plain -out text.enc
> enter aes-128-cbc encryption password:
> Verifying - enter aes-128-cbc encryption password:
> *** WARNING : deprecated key derivation used.
> Using -iter or -pbkdf2 would be better.
> 
> $ cat text.enc
> U2FsdGVkX18dFTIizaI1vyR/zo26kRa6ZusV61GMYZ8=
> 
> This didn't work initially, I first had to align openssl.cnf with the
> one from the distribution. But now I would say the openssl itself is
> working.
> 
> Why is this not working in the cryptography module? Or/and, what would
> be the best next step to analyse?
> 
> 
> Thanks!
> 
> Erik
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev

From s2nder at gmail.com  Mon Jan 24 02:38:51 2022
From: s2nder at gmail.com (=?UTF-8?B?0JDQu9C10LrRgSDQntC/0LXQutC+0LI=?=)
Date: Mon, 24 Jan 2022 09:38:51 +0200
Subject: [Cryptography-dev] class NameOID
Message-ID: <CAEBsY=ouC0cj0jfuq6o_uYt3ri8fd0oDD8_yNTZkdV5bwYURcg@mail.gmail.com>

Hello!
I came across some a problem
I have tried create a request with some subject field and noticed, that I
can't use in NameOID field calling 'NAME' with id 2.5.4.41, because it
absent in a class NameIOD,  I have found closer field 'GIVEN_NAME' with id
2.5.4.42 but I can't use it. My project requires the field 'NAME'. Can you
help me with them and add this field?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.python.org/pipermail/cryptography-dev/attachments/20220124/cfa44d0f/attachment.html>

From paul.l.kehrer at gmail.com  Mon Jan 24 10:44:05 2022
From: paul.l.kehrer at gmail.com (Paul Kehrer)
Date: Mon, 24 Jan 2022 09:44:05 -0600
Subject: [Cryptography-dev] class NameOID
In-Reply-To: <CAEBsY=ouC0cj0jfuq6o_uYt3ri8fd0oDD8_yNTZkdV5bwYURcg@mail.gmail.com>
References: <CAEBsY=ouC0cj0jfuq6o_uYt3ri8fd0oDD8_yNTZkdV5bwYURcg@mail.gmail.com>
Message-ID: <CABj5TKQ9D8AbijccdPnHEm70JSC6kA8RcMJuBDdhbJjtGi9vtQ@mail.gmail.com>

It appears you asked this both as an issue and on the mailing list.
I've put an answer on the issue:

https://github.com/pyca/cryptography/issues/6815

On Mon, Jan 24, 2022 at 6:27 AM ????? ?????? <s2nder at gmail.com> wrote:
>
> Hello!
> I came across some a problem
> I have tried create a request with some subject field and noticed, that I can't use in NameOID field calling 'NAME' with id 2.5.4.41, because it absent in a class NameIOD,  I have found closer field 'GIVEN_NAME' with id 2.5.4.42 but I can't use it. My project requires the field 'NAME'. Can you help me with them and add this field?
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev