Patch pyopenssl for sslv3 issue

wishi picture wishi · Mar 11, 2015 · Viewed 39.2k times · Source

I got a problem on a Debian 8 system with python 2.7.9-2 amd64:

    marius@pydev:/usr/lib/python2.7/dist-packages/urllib3/contrib$ pip search doo
Traceback (most recent call last):
  File "/usr/bin/pip", line 9, in <module>
    load_entry_point('pip==1.5.6', 'console_scripts', 'pip')()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 356, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2476, in load_entry_point
    return ep.load()
  File "/usr/lib/python2.7/dist-packages/pkg_resources.py", line 2190, in load
    ['__name__'])
  File "/usr/lib/python2.7/dist-packages/pip/__init__.py", line 74, in <module>
    from pip.vcs import git, mercurial, subversion, bazaar  # noqa
  File "/usr/lib/python2.7/dist-packages/pip/vcs/mercurial.py", line 9, in <module>
    from pip.download import path_to_url
  File "/usr/lib/python2.7/dist-packages/pip/download.py", line 22, in <module>
    import requests, six
  File "/usr/local/lib/python2.7/dist-packages/requests/__init__.py", line 53, in <module>
    from .packages.urllib3.contrib import pyopenssl
  File "/usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 73, in <module>
    ssl.PROTOCOL_SSLv3: OpenSSL.SSL.SSLv3_METHOD,
**AttributeError: 'module' object has no attribute 'PROTOCOL_SSLv3'**

I checked into the lib and tried to patch /usr/local/lib/python2.7/dist-packages/requests/packages/urllib3/contrib/pyopenssl.py

    from .. import connection
from .. import util

__all__ = ['inject_into_urllib3', 'extract_from_urllib3']

# SNI only *really* works if we can read the subjectAltName of certificates.
HAS_SNI = SUBJ_ALT_NAME_SUPPORT

# Map from urllib3 to PyOpenSSL compatible parameter-values.
_openssl_versions = {
    ssl.PROTOCOL_SSLv23: OpenSSL.SSL.SSLv23_METHOD,
    **ssl.PROTOCOL_SSLv3: OpenSSL.SSL.SSLv3_METHOD,**
    ssl.PROTOCOL_TLSv1: OpenSSL.SSL.TLSv1_METHOD,
}
_openssl_verify = {
    ssl.CERT_NONE: OpenSSL.SSL.VERIFY_NONE,
    ssl.CERT_OPTIONAL: OpenSSL.SSL.VERIFY_PEER,
    ssl.CERT_REQUIRED: OpenSSL.SSL.VERIFY_PEER
                       + OpenSSL.SSL.VERIFY_FAIL_IF_NO_PEER_CERT,
}

Could someone enlighten me how I can fix this? It would be super awesome if someone had a clue. I googled the issue and only found incomplete patches and it's messy. Probably a case for the bug tracker once this is fixed, too. I have this issue for all Python packages.

Answer

sk1p picture sk1p · Mar 16, 2015

This is actually an issue with urllib3, not with pyopenssl. Debian lately compiles OpenSSL without SSLv3 support, and urllib3 just assumed that support was there.

The issue was fixed in commit b9b3b0102 which is part of the 1.10 release of urllib3.

As you are using urllib3 as part of requests, which in turn is used by pip, it should be enough to update to a recent version of requests. As of writing, the current version is 2.6.0 which contains the fix:

# pip install requests==2.6.0

You might encounter a problem upgrading requests, because of the chicken-egg problem. To fix this, you can try to temporarily remove the pyopenssl package, upgrade requests and reinstall pyopenssl.

Additionally you might want to use the following line to update pip before trying to update requests:

# sudo easy_install --upgrade pip