From jcea at ARGO.ES Sat Sep 22 07:41:28 2007 From: jcea at ARGO.ES (Jesus Cea) Date: Sat, 22 Sep 2007 07:41:28 +0200 Subject: [PYTHON-CRYPTO] Some issues with M2Crypto 0.18 and timeouts Message-ID: <46F4AB08.6040906@argo.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was waiting for M2Crypto 0.18 to solve the GIL issue (previous version didn't release the python GIL while inside OpenSSL) to update my python mailing system with POP3 TLS support. I just spend last night working on it (M2Crypto documentation is very sparse), and I've found a couple of -serious- issues: a) If the socket passed to "M2Crypto.SSL.Connection()" has defined a timeout, the SSL/TLS negotiation will fail. Even if the timeout doesn't expire. b) Calls to "connection.set_socket_read_timeout()" and "connection.set_socket_write_timeout()" seems to hang up or show messages like "Option not supported by protocol". How can I limit the time spend in SSL negotiation or waiting for data?. I'm interested in garantee a maximum (sort) time to SSL negotiation and a configurable and sort wait in the "recv()" and "send()" method. Thanks in advance. A couple of minimal test cases. You must connect your web browser to port 8877. First issue: """ import M2Crypto M2Crypto.threading.init() M2Crypto.Rand.load_file("/dev/urandom",-1) ctx = M2Crypto.SSL.Context('sslv23') ctx.set_info_callback() ctx.load_cert_chain('server.pem') ctx.set_options(M2Crypto.SSL.op_all | M2Crypto.SSL.op_no_sslv2) if ctx.set_cipher_list('ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH') != 1: print "***No valid ciphers" import socket sock = socket.socket() sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) sock.bind(('', 8877)) sock.listen(5) sock,addr=sock.accept() sock.settimeout(10) # <- COMMENT THIS LINE AND THE SSL WILL WORK. conn = M2Crypto.SSL.Connection(ctx, sock) conn.set_accept_state() conn.setup_ssl() conn.accept_ssl() print conn.recv(99999) conn.clear() """ - -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea at argo.es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRvSrCJlgi5GaxT1NAQKuBwQAigzyw+xxguCp9jWqY2iK6oZiMOaSvHnE MMhZjjy9ElJKGzwsGuiB8c4FXZy0JKjk2TDvzGKPyh30FCosqN7Ag7QJYvdRmNN4 mr3lx7fniaZV8ZHfqq+YvKfTHryIGgLmDRQ/l0UhrnT+LOTqVUdcyvl6nDo0Gioz 6+k2dHe4K/c= =T00P -----END PGP SIGNATURE----- From heikki at OSAFOUNDATION.ORG Sat Sep 22 08:22:34 2007 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Fri, 21 Sep 2007 23:22:34 -0700 Subject: [PYTHON-CRYPTO] Some issues with M2Crypto 0.18 and timeouts In-Reply-To: <46F4AB08.6040906@argo.es> References: <46F4AB08.6040906@argo.es> Message-ID: <46F4B4AA.4010808@osafoundation.org> Jesus Cea wrote: > a) If the socket passed to "M2Crypto.SSL.Connection()" has defined a > timeout, the SSL/TLS negotiation will fail. Even if the timeout doesn't > expire. > > b) Calls to "connection.set_socket_read_timeout()" and > "connection.set_socket_write_timeout()" seems to hang up or show > messages like "Option not supported by protocol". How can I limit the > time spend in SSL negotiation or waiting for data?. I'm interested in > garantee a maximum (sort) time to SSL negotiation and a configurable and > sort wait in the "recv()" and "send()" method. There is currently no simple API to do server-side timeouts. There is already a bug filed to this effect with a possible patch, but I haven't tested this myself: https://bugzilla.osafoundation.org/show_bug.cgi?id=4097 Also there is a bug about setdefaulttimeout breaking SSL: https://bugzilla.osafoundation.org/show_bug.cgi?id=2341 Searching the web for the words [openssl socket timeout] gives for example http://www.nabble.com/server-timeout-in-connection-handshake---t4383302.html, which points to Postfix implementing this by using BIO pairs and letting Postfix do all network traffic. If you want to take the "Postfix approach", you might want to look into for example Twisted. M2Crypto can plug into Twisted (see M2Crypto.SSL.TwistedProtocolWrapper) so that Twisted does all the network traffic and M2Crypto does SSL using BIO pairs in memory. Searching for [twisted http server timeout] gives multiple hits. -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature URL: From jcea at ARGO.ES Sat Sep 22 09:34:17 2007 From: jcea at ARGO.ES (Jesus Cea) Date: Sat, 22 Sep 2007 09:34:17 +0200 Subject: [PYTHON-CRYPTO] Some issues with M2Crypto 0.18 and timeouts In-Reply-To: <46F4B4AA.4010808@osafoundation.org> References: <46F4AB08.6040906@argo.es> <46F4B4AA.4010808@osafoundation.org> Message-ID: <46F4C579.7010507@argo.es> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Heikki Toivonen wrote: > There is currently no simple API to do server-side timeouts. Thank you for the pointers, Heikki. I thought that SSL support would be simple socket implementation replacement, but timeout limitations would demand to implement a lot of code in my application. I feel this issue is fairly known and there is requests to solve it. Do you have any timeframe?. Seems a showstop... I'm a bit worried also with memory leaks, since I'm using M2Crypto (since this night) in a 24/7 mail service. Googling about it is a bit worrying. Any other SSL implementation out there for Python?. No, I can't use 100% native python here, for performance reasons. I've looked at http://www.brontes3d.com/opensource/straightssl.html, but doc is sparse and I need to go bed now... - -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ jcea at argo.es http://www.argo.es/~jcea/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBRvTFeZlgi5GaxT1NAQIE7gP+LI2bSe2inN7JHLubd0gMGCHE4n5nZ4bG hCqpabinBfobxx7bghLIdf6dVqaT8w/30HThWqlapiM4iIG9+owV0y/OabAKvuCt xmRjXelhR45oWjcJVMMryDUShqadTmk1XdkQGNwHQyUv+GqtGjZ8aXpDTDvyj1q3 o+jfjj8m1S8= =SgiZ -----END PGP SIGNATURE----- From heikki at OSAFOUNDATION.ORG Mon Sep 24 19:26:19 2007 From: heikki at OSAFOUNDATION.ORG (Heikki Toivonen) Date: Mon, 24 Sep 2007 10:26:19 -0700 Subject: [PYTHON-CRYPTO] Some issues with M2Crypto 0.18 and timeouts In-Reply-To: <46F4C579.7010507@argo.es> References: <46F4AB08.6040906@argo.es> <46F4B4AA.4010808@osafoundation.org> <46F4C579.7010507@argo.es> Message-ID: <46F7F33B.1000202@osafoundation.org> Jesus Cea wrote: > Heikki Toivonen wrote: >>> There is currently no simple API to do server-side timeouts. > > Thank you for the pointers, Heikki. I thought that SSL support would be > simple socket implementation replacement, but timeout limitations would > demand to implement a lot of code in my application. > > I feel this issue is fairly known and there is requests to solve it. Do > you have any timeframe?. Seems a showstop... You are the second or third person to ask about it in M2Crypto in the past 4 years, so it is not *that* frequent a request. I suspect most people use something more robust than plain M2Crypto for a server application (like Apache or Twisted). Client side is a different thing, of course. I don't have a timeframe for the issue at the moment. I am mostly a client side developer, so I rely mostly on other people to work on server issues. If you really want this simple solution, I'd advice first trying the patch in the bug I pointed out, and seeing how it works. If it does everything you need, reliably, I could consider applying the patch. > I'm a bit worried also with memory leaks, since I'm using M2Crypto > (since this night) in a 24/7 mail service. Googling about it is a bit > worrying. I've fixed a lot of memory leaks in 0.17 and 0.18. If you know of any unfixed issues, please let me know. > Any other SSL implementation out there for Python?. No, I can't use 100% > native python here, for performance reasons. I've looked at > http://www.brontes3d.com/opensource/straightssl.html, but doc is sparse > and I need to go bed now... TLS Lite is pure Python, but can use various other native modules (if available) to speed up SSL: http://trevp.net/tlslite/ pyOpenSSL and pyOpenSSL-extended wrap OpenSSL and provide a Python module. Both of these seem dead, but pyOpenSSL-extended was released a bit later, see http://www.keyphrene.com/products/pyOpenSSL-extended/index.php?lng=en -- Heikki Toivonen -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 254 bytes Desc: OpenPGP digital signature URL: