From mcepl at redhat.com Wed Nov 4 16:03:24 2009 From: mcepl at redhat.com (=?UTF-8?B?TWF0xJtqIENlcGw=?=) Date: Wed, 04 Nov 2009 16:03:24 +0100 Subject: [pyOpenSSL] cannot connect to XMPP server with gajim (using pyOpenSSL) In-Reply-To: <20091013172116.11350.820957483.divmod.xquotient.6@localhost.localdomain> References: <4AD4B4A8.2010902@redhat.com> <20091013172116.11350.820957483.divmod.xquotient.6@localhost.localdomain> Message-ID: <4AF197BC.60209@redhat.com> Dne 13.10.2009 19:21, exarkun at twistedmatrix.com napsal(a): > There are some known interoperability issues between OpenSSL and the SSL > libraries used by some Java XMPP services. If this is the problem, you > can work around it by setting the OP_NO_TICKET (0x00004000) option in > the client. If this doesn't fix the problem, then I don't have any > other guesses as to what might be wrong. Currently I have this patch against the master branch of gajim (thanks partially to Dave Kirkland for this), but I haven't seen any noticeable difference ... gajim still hangs in "Initiating handshake..." diff --git a/src/common/xmpp/tls_nb.py b/src/common/xmpp/tls_nb.py index 5ed1072..fc6b496 100644 --- a/src/common/xmpp/tls_nb.py +++ b/src/common/xmpp/tls_nb.py @@ -334,6 +334,10 @@ class NonBlockingTLS(PlugIn): begin = -1 i += 1 + def info_callback(conn, where, ret): + print >>sys.stderr, "[SSL info] %x = %d" % (where, + ret)#,`conn.state_string()` + def _startSSL_pyOpenSSL(self): log.debug("_startSSL_pyOpenSSL called") tcpsock = self._owner @@ -359,6 +363,8 @@ class NonBlockingTLS(PlugIn): tcpsock._sslObj = OpenSSL.SSL.Connection(tcpsock._sslContext, tcpsock._sock) tcpsock._sslObj.set_connect_state() # set to client mode + tcpsock._sslContext.set_options(OpenSSL.SSL.OP_NO_TICKET) + tcpsock._sslContext.set_info_callback( info_callback ) wrapper = PyOpenSSLWrapper(tcpsock._sslObj) tcpsock._recv = wrapper.recv tcpsock._send = wrapper.send Any ideas what should I do? Thanks for the replies so far, Mat?j Cepl -- http://www.ceplovi.cz/matej/, Jabber: mceplceplovi.cz GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC Faithful love is what people look for in a person; ... -- Proverbs 19:22 (NJB) -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3284 bytes Desc: S/MIME Cryptographic Signature URL: From exarkun at twistedmatrix.com Thu Nov 5 19:07:24 2009 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Thu, 05 Nov 2009 18:07:24 -0000 Subject: [pyOpenSSL] cannot connect to XMPP server with gajim (using pyOpenSSL) In-Reply-To: <4AF197BC.60209@redhat.com> References: <4AD4B4A8.2010902@redhat.com> <20091013172116.11350.820957483.divmod.xquotient.6@localhost.localdomain> <4AF197BC.60209@redhat.com> Message-ID: <20091105180724.3229.795173757.divmod.xquotient.132@localhost.localdomain> On 4 Nov, 03:03 pm, mcepl at redhat.com wrote: >Dne 13.10.2009 19:21, exarkun at twistedmatrix.com napsal(a): >>There are some known interoperability issues between OpenSSL and the >>SSL >>libraries used by some Java XMPP services. If this is the problem, >>you >>can work around it by setting the OP_NO_TICKET (0x00004000) option in >>the client. If this doesn't fix the problem, then I don't have any >>other guesses as to what might be wrong. > >Currently I have this patch against the master branch of gajim (thanks >partially to Dave Kirkland for this), but I haven't seen any noticeable >difference ... gajim still hangs in "Initiating handshake..." > >diff --git a/src/common/xmpp/tls_nb.py b/src/common/xmpp/tls_nb.py >index 5ed1072..fc6b496 100644 >--- a/src/common/xmpp/tls_nb.py >+++ b/src/common/xmpp/tls_nb.py >@@ -334,6 +334,10 @@ class NonBlockingTLS(PlugIn): > begin = -1 > i += 1 > >+ def info_callback(conn, where, ret): >+ print >>sys.stderr, "[SSL info] %x = %d" % (where, >+ ret)#,`conn.state_string()` >+ > def _startSSL_pyOpenSSL(self): > log.debug("_startSSL_pyOpenSSL called") > tcpsock = self._owner >@@ -359,6 +363,8 @@ class NonBlockingTLS(PlugIn): > tcpsock._sslObj = >OpenSSL.SSL.Connection(tcpsock._sslContext, > tcpsock._sock) > tcpsock._sslObj.set_connect_state() # set to client >mode >+ >tcpsock._sslContext.set_options(OpenSSL.SSL.OP_NO_TICKET) >+ tcpsock._sslContext.set_info_callback( info_callback ) > wrapper = PyOpenSSLWrapper(tcpsock._sslObj) > tcpsock._recv = wrapper.recv > tcpsock._send = wrapper.send > >Any ideas what should I do? > >Thanks for the replies so far, This looks like the right solution for the problem I had in mind. So, I'm not sure what's going on here. Something like tlsdump may shed further light on the issue. Or, I see you're using the info callback here - is that revealing anything interesting? Jean-Paul From info at egenix.com Tue Nov 10 21:53:33 2009 From: info at egenix.com (eGenix Team: M.-A. Lemburg) Date: Tue, 10 Nov 2009 21:53:33 +0100 Subject: [pyOpenSSL] ANN: eGenix pyOpenSSL Distribution 0.9.0-0.9.8l Message-ID: <4AF9D2CD.2020703@egenix.com> ________________________________________________________________________ ANNOUNCING eGenix.com pyOpenSSL Distribution Version 0.9.0-0.9.8l An easy-to-install and easy-to-use distribution of the pyOpenSSL Python interface for OpenSSL - available for Windows, Mac OS X and Unix platforms This announcement is also available on our web-site for online reading: http://www.egenix.com/company/news/eGenix-pyOpenSSL-Distribution-0.9.0-0.9.8l-1.html ________________________________________________________________________ INTRODUCTION The eGenix.com pyOpenSSL Distribution includes everything you need to get started with SSL in Python. It comes with an easy-to-use installer that includes the most recent OpenSSL library versions in pre-compiled form, making your application independent of OS provided OpenSSL libraries: http://www.egenix.com/products/python/pyOpenSSL/ pyOpenSSL is an open-source Python add-on that allows writing SSL/TLS- aware network applications as well as certificate management tools: http://pyopenssl.sourceforge.net/ OpenSSL is an open-source implementation of the SSL/TLS protocol: http://www.openssl.org/ ________________________________________________________________________ NEWS This new release of the eGenix.com pyOpenSSL Distribution updates the included OpenSSL version to 0.9.8l. The new OpenSSL version includes an important work-around for a serious problem in TLS, the protocol implemented and used by OpenSSL. The Man-in-the-Middle TLS protocol attack was disclosed on 2009-11-05 and is being tracked as CVE-2009-3555: http://isc.sans.org/diary.html?storyid=7534 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 IMPORTANT: The work-around chosen by the OpenSSL team is to disable SSL session renegotiations altogether. This can cause applications relying on this feature on the client or server side to fail. You can still download the previous version of our pyOpenSSL distribution if you run into such problems: http://www.egenix.com/products/python/pyOpenSSL/0.9.0-0.9.8k_1/ As always, we provide binaries that include both pyOpenSSL and the necessary OpenSSL libraries for all supported platforms: Windows x86, Linux x86 and x64, Mac OS X PPC and x86. Due to popular demand, we've also added .egg-file format versions of our eGenix.com pyOpenSSL Distribution for Windows and Linux to the available download options. These makes setups using e.g. zc.buildout and other egg-file based installers a lot easier. ________________________________________________________________________ DOWNLOADS The download archives and instructions for installing the package can be found at: http://www.egenix.com/products/python/pyOpenSSL/ ________________________________________________________________________ UPGRADING Before installing this version of pyOpenSSL, please make sure that you uninstall any previously installed pyOpenSSL version. Otherwise, you could end up not using the included OpenSSL libs. _______________________________________________________________________ SUPPORT Commercial support for these packages is available from eGenix.com. Please see http://www.egenix.com/services/support/ for details about our support offerings. _______________________________________________________________________ INFORMATION About Python (http://www.python.org/): Python is an object-oriented Open Source programming language which runs on all modern platforms. By integrating ease-of-use, clarity in coding, enterprise application connectivity and rapid application design, Python establishes an ideal programming platform for today's IT challenges. About eGenix (http://www.egenix.com/): eGenix is a software project, consulting and product company focusing on expert services and professional quality products for companies, Python users and developers. Enjoy, -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Nov 10 2009) >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ From exarkun at twistedmatrix.com Fri Nov 13 18:23:39 2009 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Fri, 13 Nov 2009 17:23:39 -0000 Subject: [pyOpenSSL] [ANN] pyOpenSSL 0.10 Message-ID: <20091113172339.3229.1288175132.divmod.xquotient.728@localhost.localdomain> I'm happy to announce the release of pyOpenSSL 0.10. pyOpenSSL 0.10 exposes several more OpenSSL APIs, including support for running TLS connections over in-memory BIOs, access to the OpenSSL random number generator, the ability to pass subject and issuer parameters when creating an X509Extension instance, more control over PKCS12 creation and an API for exporting PKCS12 objects, and APIs for controlling the client CA list servers send to clients. Several bugs have also been fixed, including a crash when certain X509Extension instances are deallocated, a mis-handling of the OpenSSL error queue in the X509Name implementation, Windows build issues, and a possible double free when using a debug build. The style of the docstrings for APIs implemented in C has also been changed throughout the project to be more useful to Python programmers. Extension type objects can also now be used to instantiate those types. Many thanks to numerous people who contributed patches to this release. You can find pyOpenSSL 0.10 on the Python Package Index: http://pypi.python.org/pypi/pyOpenSSL/0.10 You can now also find the pyOpenSSL documentation there: http://packages.python.org/pyOpenSSL/ As part of the ongoing transition away from SourceForge, I won't be uploading the release or the documentation to SourceForge. Please continue to use the pyOpenSSL Launchpad page for bug reports: https://launchpad.net/pyopenssl Enjoy! Jean-Paul Calderone From mcepl at redhat.com Fri Nov 13 22:09:23 2009 From: mcepl at redhat.com (=?UTF-8?B?TWF0xJtqIENlcGw=?=) Date: Fri, 13 Nov 2009 22:09:23 +0100 Subject: [pyOpenSSL] [ANN] pyOpenSSL 0.10 In-Reply-To: <20091113172339.3229.1288175132.divmod.xquotient.728@localhost.localdomain> References: <20091113172339.3229.1288175132.divmod.xquotient.728@localhost.localdomain> Message-ID: <4AFDCB03.7040503@redhat.com> Dne 13.11.2009 18:23, exarkun at twistedmatrix.com napsal(a): > pyOpenSSL 0.10 exposes several more OpenSSL APIs, including support for > running TLS connections over in-memory BIOs, access to the OpenSSL > random number generator, the ability to pass subject and issuer > parameters when creating an X509Extension instance, more control over > PKCS12 creation and an API for exporting PKCS12 objects, and APIs for > controlling the client CA list servers send to clients. Is there a hope that we could get ever exported AES and RSA from openSSL. I am interested in gajim (PyGtk XMPP client) which currently uses for these two algorithms (and now only for them, the rest of security is done through pyOpenSSL or native python methods) python-crypto which contains its own C-implementations of AES and RSA. I hate this independent (and I would expect not much tested and maintained, certainly in comparison with openSSL library) solution. There seems to me two solutions to this problem: a) to persuade you (or somebody, I am not a C programmer) to implement bindings for these two algorithms in pyOpenSSL, b) port whole gajim to m2crypto, which IIRC has also only bindings for openSSL (not its own implementations). Of course, I would prefer the first solution. Is there a hope? Mat?j -- http://www.ceplovi.cz/matej/, Jabber: mceplceplovi.cz GPG Finger: 89EF 4BC6 288A BF43 1BAB 25C3 E09F EF25 D964 84AC To err is human, to purr feline. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3284 bytes Desc: S/MIME Cryptographic Signature URL: From exarkun at twistedmatrix.com Sat Nov 14 18:53:13 2009 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Sat, 14 Nov 2009 17:53:13 -0000 Subject: [pyOpenSSL] AES and RSA APIs (was Re: [ANN] pyOpenSSL 0.10) In-Reply-To: <4AFDCB03.7040503@redhat.com> References: <20091113172339.3229.1288175132.divmod.xquotient.728@localhost.localdomain> <4AFDCB03.7040503@redhat.com> Message-ID: <20091114175313.27565.991967215.divmod.xquotient.135@localhost.localdomain> On 13 Nov, 09:09 pm, mcepl at redhat.com wrote: >Dne 13.11.2009 18:23, exarkun at twistedmatrix.com napsal(a): >>pyOpenSSL 0.10 exposes several more OpenSSL APIs, including support >>for >>running TLS connections over in-memory BIOs, access to the OpenSSL >>random number generator, the ability to pass subject and issuer >>parameters when creating an X509Extension instance, more control over >>PKCS12 creation and an API for exporting PKCS12 objects, and APIs for >>controlling the client CA list servers send to clients. > >Is there a hope that we could get ever exported AES and RSA from >openSSL. I am interested in gajim (PyGtk XMPP client) which currently >uses for these two algorithms (and now only for them, the rest of >security is done through pyOpenSSL or native python methods) >python-crypto which contains its own C-implementations of AES and RSA. >I >hate this independent (and I would expect not much tested and >maintained, certainly in comparison with openSSL library) solution. >There seems to me two solutions to this problem: a) to persuade you (or >somebody, I am not a C programmer) to implement bindings for these two >algorithms in pyOpenSSL, b) port whole gajim to m2crypto, which IIRC >has >also only bindings for openSSL (not its own implementations). Of >course, >I would prefer the first solution. > >Is there a hope? This is certainly not something I'd rule out for pyOpenSSL. It's just a question of who will implement it and when. I was also recently reminded of a set of outstanding changes by David Crindland. I know these changes include some kind of crypto-related enhancements, but I still haven't looked at the patches closely enough to know exactly what. I'm going to try to get these integrated for 0.11. This is still probably a non-trivial undertaking, as I don't think the patches include much in the way of automated test coverage. I've recently become available for contract work. If this is something you'd like expedited and have a budget for doing so, perhaps we can work something out. Feel free to contact me off-list about that. Also, several other people have been active in pyOpenSSL development recently. I'm not sure if any of them are available for this sort of work, but it's possible, and I don't want anyone to think that I'm the only person who could be paid for pyOpenSSL development. :) I'll happily incorporate work done by anyone, so long as it meets the quality standards I've been trying to enforce since I took over maintainership. Jean-Paul From morgan.s.reed at gmail.com Sun Nov 15 04:09:05 2009 From: morgan.s.reed at gmail.com (Morgan Reed) Date: Sun, 15 Nov 2009 14:09:05 +1100 Subject: [pyOpenSSL] AES and RSA APIs (was Re: [ANN] pyOpenSSL 0.10) In-Reply-To: <20091114175313.27565.991967215.divmod.xquotient.135@localhost.localdomain> References: <20091113172339.3229.1288175132.divmod.xquotient.728@localhost.localdomain> <4AFDCB03.7040503@redhat.com> <20091114175313.27565.991967215.divmod.xquotient.135@localhost.localdomain> Message-ID: On Sun, Nov 15, 2009 at 04:53, wrote: > This is certainly not something I'd rule out for pyOpenSSL. ?It's just a > question of who will implement it and when. There are bindings to some of the low-level RSA methods which I wrote some time back in a branch on launchpad (mr-RSAadditions). Though I'm not sure what other stuff would be necessary to do a complete implementation of RSA (I only needed the low-level stuff for the project I was working on) I may be able to find time to expand on that work if somebody can tell me what is needed beyond what has been done. The AES stuff is a different matter but I can probably look at that too (it may become necessary for one of my projects anyway) Morgan From exarkun at twistedmatrix.com Sun Nov 15 15:44:21 2009 From: exarkun at twistedmatrix.com (exarkun at twistedmatrix.com) Date: Sun, 15 Nov 2009 14:44:21 -0000 Subject: [pyOpenSSL] AES and RSA APIs (was Re: [ANN] pyOpenSSL 0.10) In-Reply-To: References: <20091113172339.3229.1288175132.divmod.xquotient.728@localhost.localdomain> <4AFDCB03.7040503@redhat.com> <20091114175313.27565.991967215.divmod.xquotient.135@localhost.localdomain> Message-ID: <20091115144421.27565.584883811.divmod.xquotient.163@localhost.localdomain> On 03:09 am, morgan.s.reed at gmail.com wrote: >On Sun, Nov 15, 2009 at 04:53, wrote: >>This is certainly not something I'd rule out for pyOpenSSL. ?It's just >>a >>question of who will implement it and when. > >There are bindings to some of the low-level RSA methods which I wrote >some time back in a branch on launchpad (mr-RSAadditions). Though I'm >not sure what other stuff would be necessary to do a complete >implementation of RSA (I only needed the low-level stuff for the >project I was working on) Ah, I forgot about that branch. It would be excellent if you could file a ticket for it and describe what it does. :) It also looks like some conflicts have arisen. If you resolve these, I'll take a look at getting it merged. Jean-Paul