search

pyca / cryptography

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
https://cryptography.io
Other
6.54k stars 1.5k forks source link

Error with httpd on Fedora 24 #3275

Closed azhuzhu closed 7 years ago

azhuzhu commented 7 years ago

when open the page on browser, error occurs in httpd

[Thu Oct 13 09:08:58.070609 2016] [wsgi:error] [pid 21878] 2016-10-13 09:08:58,070 [WARNING] m=sslLogin u=None p=21878 r=::1:52822 koji.xmlrpc: Traceback (most recent call last): [Thu Oct 13 09:08:58.070618 2016] [wsgi:error] [pid 21878] File "/usr/share/koji-hub/kojixmlrpc.py", line 234, in _wrap_handler [Thu Oct 13 09:08:58.070620 2016] [wsgi:error] [pid 21878] response = handler(environ) [Thu Oct 13 09:08:58.070621 2016] [wsgi:error] [pid 21878] File "/usr/share/koji-hub/kojixmlrpc.py", line 277, in handle_rpc [Thu Oct 13 09:08:58.070623 2016] [wsgi:error] [pid 21878] return self._dispatch(method, params) [Thu Oct 13 09:08:58.070625 2016] [wsgi:error] [pid 21878] File "/usr/share/koji-hub/kojixmlrpc.py", line 314, in _dispatch [Thu Oct 13 09:08:58.070626 2016] [wsgi:error] [pid 21878] ret = koji.util.call_with_argcheck(func, params, opts) @ [Wed Nov 16 09:43:13.882023 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] from OpenSSL._util import ( [Wed Nov 16 09:43:13.882204 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] File "/usr/lib/python2.7/site-packages/OpenSSL/_util.py", line 6, in [Wed Nov 16 09:43:13.882365 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] from cryptography.hazmat.bindings.openssl.binding import Binding [Wed Nov 16 09:43:13.882509 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 234, in [Wed Nov 16 09:43:13.882676 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] Binding.init_static_locks() [Wed Nov 16 09:43:13.882806 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 180, in init_static_locks [Wed Nov 16 09:43:13.882939 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] cls._ensure_ffi_initialized() [Wed Nov 16 09:43:13.883077 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 175, in _ensure_ffi_initialized [Wed Nov 16 09:43:13.883204 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] cls._register_osrandom_engine() [Wed Nov 16 09:43:13.883328 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 140, in _register_osrandom_engine [Wed Nov 16 09:43:13.883465 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] _openssl_assert(cls.lib, cls.lib.ERR_peek_error() == 0) [Wed Nov 16 09:43:13.883575 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 62, in _openssl_assert [Wed Nov 16 09:43:13.883719 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] errors_with_text [Wed Nov 16 09:43:13.883846 2016] [wsgi:error] [pid 22613] [client 192.168.33.1:60707] InternalError: Unknown OpenSSL error. This error is commonly encountered when another library is not cleaning up the OpenSSL error stack. If you are using cryptography with another library that uses OpenSSL try disabling it before reporting a bug. Otherwise please file an issue at https://github.com/pyca/cryptography/issues with information on how to reproduce this. ([_OpenSSLErrorWithText(code=151441516L, lib=9, func=109, reason=108, reason_text='error:0906D06C:PEM routines:PEM_read_bio:no start line'), _OpenSSLErrorWithText(code=151441516L, lib=9, func=109, reason=108, reason_text='error:0906D06C:PEM routines:PEM_read_bio:no start line')])

dependencies: mod_ssl-2.4.23-4.fc24.x86_64 openssl-1.0.2j-1.fc24.x86_64 pyOpenSSL-16.0.0-1.fc24.noarch python2-cryptography-1.5.3-3.fc24.x86_64

Referring to https://github.com/pyca/cryptography/issues/2699, after changing the code in "/usr/lib64/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 140 from _openssl_assert(cls.lib, cls.lib.ERR_peek_error() == 0) to cls.lib.ERR_clear_error(), it's back to normal.

Is that a bug or something wrong with fc24 package?

Thanks

reaperhulk commented 7 years ago

This means something in your software that is called before pyOpenSSL tries to initialize is not properly clearly its error stack. cryptography can't reliably determine whether OpenSSL is in a safe state if the error stack isn't empty. It's possible this is mod_ssl itself -- the error indicates something tried (and failed) to load a PEM formatted cert or key.

The "right" fix is to find the spot where the PEM load is being called and then the error stack is not being cleared, but it may be worth adding these specific errors to a list of allowable errors since they are safe to ignore.

tiran commented 7 years ago

@azhuzhu https://bugzilla.redhat.com/show_bug.cgi?id=1402235 tracks the issue for Fedora.