Ticket #589 (defect)
Opened 2 years ago
Last modified 2 months ago
SSL errors
Status: reopened
| Reported by: | fumanchu | Assigned to: | rdelon |
|---|---|---|---|
| Priority: | high | Milestone: | 3.1 |
| Component: | wsgiserver | Keywords: | |
| Cc: |
C:\Python24\Lib\site-packages>python cherrypy\test\test.py --ssl
Python version used to run this test script: 2.4.2
CherryPy version 3.0.0beta2
HTTP server version HTTP/1.1 (ssl)
...
test_1_Ram_Concurrency (test_session.SessionTest) ... Exception in thread CP WSGIServer Thread-4:
Traceback (most recent call last):
File "C:\Python24\Lib\threading.py", line 442, in __bootstrap
self.run()
File "C:\Python24\Lib\site-packages\cherrypy\_cpwsgiserver.py", line 506, in run
conn.communicate()
File "C:\Python24\Lib\site-packages\cherrypy\_cpwsgiserver.py", line 471, in communicate
req.simple_response("500 Internal Server Error", format_exc())
File "C:\Python24\Lib\site-packages\cherrypy\_cpwsgiserver.py", line 296, in simple_response
wfile.flush()
File "C:\Python24\Lib\site-packages\cherrypy\_cpwsgiserver.py", line 365, in ssl_method_wrapper
return method(self, *args, **kwargs)
File "C:\Python24\Lib\socket.py", line 243, in flush
self._sock.sendall(buffer)
Error: [('SSL routines', 'SSL3_GET_MESSAGE', 'excessive message size')]
Attachments
Change History
10/25/06 18:30:20: Modified by fumanchu
- status changed from new to closed.
- resolution set to fixed.
11/10/07 19:58:15: Modified by fumanchu
- status changed from closed to reopened.
- resolution deleted.
- milestone changed from 3.0 to 3.1.
I'm getting these errors again in trunk.
01/12/08 20:25:40: Modified by fumanchu
This is intermittent, by the way, but occurs while trying to send an error message. The initial error is:
Traceback (most recent call last): File "C:\Python24\Lib\site-packages\cherrypy\wsgiserver\__init__.py", line 751, in communicate req.parse_request() File "C:\Python24\Lib\site-packages\cherrypy\wsgiserver\__init__.py", line 246, in parse_request self._parse_request() File "C:\Python24\Lib\site-packages\cherrypy\wsgiserver\__init__.py", line 259, in _parse_request request_line = self.rfile.readline() File "C:\Python24\Lib\site-packages\cherrypy\wsgiserver\__init__.py", line 154, in readline data = self.rfile.readline(256) File "C:\Python24\Lib\site-packages\cherrypy\wsgiserver\__init__.py", line 645, in ssl_method_wrapper return method(self, *args, **kwargs) File "C:\Python24\lib\socket.py", line 359, in readline data = self._sock.recv(self._rbufsize) Error: [('SSL routines', 'SSL3_GET_RECORD', 'decryption failed or bad record mac')]
This might be due to a bad openssl version. See http://svn.haxx.se/users/archive-2006-03/0803.shtml.
03/17/08 14:55:24: Modified by fumanchu
- summary changed from SSL 'excessive message size' errors to SSL errors.
Also getting several of these in test_refleaks:
C:\Python24\Lib\site-packages>python cherrypy\test\test.py --ssl --test_refleaks Python version used to run this test script: 2.4.4 CherryPy version 3.1.0beta3 HTTP server version HTTP/1.1 (ssl) PID: 5544 Running tests: cherrypy._cpwsgi.CPWSGIServer test_threadlocal_garbage (test_refleaks.ReferenceTests) ... Exception in thread Thread-18: Traceback (most recent call last): File "C:\Python24\lib\threading.py", line 442, in __bootstrap self.run() File "C:\Python24\lib\threading.py", line 422, in run self.__target(*self.__args, **self.__kwargs) File "C:\Python24\Lib\site-packages\cherrypy\test\test_refleaks.py", line 94, in getpage c.request('GET', '/') File "C:\Python24\lib\httplib.py", line 804, in request self._send_request(method, url, body, headers) File "C:\Python24\lib\httplib.py", line 827, in _send_request self.endheaders() File "C:\Python24\lib\httplib.py", line 798, in endheaders self._send_output() File "C:\Python24\lib\httplib.py", line 679, in _send_output self.send(msg) File "C:\Python24\lib\httplib.py", line 646, in send self.connect() File "C:\Python24\lib\httplib.py", line 1073, in connect ssl = socket.ssl(sock, self.key_file, self.cert_file) File "C:\Python24\lib\socket.py", line 74, in ssl return _realssl(sock, keyfile, certfile) sslerror: (8, 'EOF occurred in violation of protocol')
These occur after the server receives the error: [('SSL routines', 'SSL23_READ', 'ssl handshake failure')] during the first socket readline call.
03/29/08 20:54:24: Modified by fumanchu
- attachment sslcompare.log added.
ssldump of one good conn, one bad_record_mac
03/29/08 20:58:17: Modified by fumanchu
The attached sslcompare.log is a partial ssldump of test_refleaks when it fails. Connection #23 succeeds, #24 fails with a "bad_record_mac" alert.
Command used:
ssldump -dAaHtn -i lo -k cherrypy/test/test.pem port 8080 > ssl.log
...then, in another terminal, run:
python cherrypy/test/test.py --ssl --test_refleaks
03/29/08 21:06:56: Modified by fumanchu
It looks like the alert is raised in response to a Handshake: Finished message from client to server. According to Rescorla, "...if the alert is sent in response to a Finished message, it could also represent an error in key derivation. Even if the encryption keys are also wrong, the decryption may appear to succeed. However, the MAC will fail. In fact, even if the MAC key is correct but the encryption key is wrong, the error will still most likely appear in the MAC check..."
Oh, and the "unknown" cipher suite 0x35 is:
CipherSuite TLS_RSA_WITH_AES_256_CBC_SHA = { 0x00, 0x35 };
according to http://www.ietf.org/rfc/rfc3268.txt. But using Context.set_cipher_list() to remove it didn't help the test pass.
03/30/08 21:34:12: Modified by fumanchu
I'm starting to think this isn't an SSL bug per se; I'm getting similar errors when running test_refleaks without ssl. They appear when printing debug info or otherwise loading the process, and go away when, for example, I use skip_host with httplib to avoid the idna encoding overhead. So there's definitely a timing issue somewhere. When using --ssl, the first 10 requests are received by all 10 worker threads, but then they all lock up in WantRead loops until they timeout. Without ssl, some client threads immediately receive "Connection reset by peer" messages instead.
Fixed in [1410].