From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: bug#22876: Python can't use https with recent grafts Date: Wed, 02 Mar 2016 02:27:52 -0500 Message-ID: <87oaaxl4p3.fsf@netris.org> References: <87povdsqar.fsf@dustycloud.org> <87oaaxspmy.fsf@dustycloud.org> Mime-Version: 1.0 Content-Type: text/plain Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60798) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ab2v2-0007Ep-Uq for bug-guix@gnu.org; Wed, 02 Mar 2016 04:18:10 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ab2uw-0005zq-RM for bug-guix@gnu.org; Wed, 02 Mar 2016 04:18:08 -0500 Received: from debbugs.gnu.org ([208.118.235.43]:59857) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ab2uw-0005zg-NP for bug-guix@gnu.org; Wed, 02 Mar 2016 04:18:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84) (envelope-from ) id 1ab2uw-00012C-Kc for bug-guix@gnu.org; Wed, 02 Mar 2016 04:18:02 -0500 Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Message-ID: In-Reply-To: <87oaaxspmy.fsf@dustycloud.org> (Christopher Allan Webber's message of "Tue, 01 Mar 2016 16:13:41 -0800") List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org To: Christopher Allan Webber Cc: 22876-done@debbugs.gnu.org In brief, I believe this is fixed by commit 03a0e682a8 on master. See below for details. Christopher Allan Webber writes: > Christopher Allan Webber writes: > >> Most of Guix seems to be working just fine with the grafts support and >> grafting of openssl. However, unlike most grafts that will be done >> probably, this one removes a feature, and that seems to be creating >> problems in Python land. >> >> >>> from urllib.request import HTTPSHandler >> Traceback (most recent call last): >> File "", line 1, in >> ImportError: cannot import name 'HTTPSHandler' > > As expected, this is for the same reasons offlineimap seemed to have > problems: > > cwebber@oolong:~/devel/mediagoblin$ python3 > Python 3.4.3 (default, Jan 1 1970, 00:00:01) > [GCC 4.9.3] on linux > Type "help", "copyright", "credits" or "license" for more information. > >>> import ssl > Traceback (most recent call last): > File "", line 1, in > File "/gnu/store/1spkp48cbbzg6ic5qkv3qpm3mvsgwkys-python-3.4.3/lib/python3.4/ssl.py", line 97, in > import _ssl # if we can't import it, let the error propagate > ImportError: /gnu/store/1spkp48cbbzg6ic5qkv3qpm3mvsgwkys-python-3.4.3/lib/python3.4/lib-dynload/_ssl.cpython-34m.so: undefined symbol: SSLv2_method > > This leads to my suspicion that it's not really grafting's fault here, > it's the *removal* of a piece of code, thus making things > abi-incompatible with the system we built. That's exactly right, and it turns out that Guix is not the only one who was bitten by this, e.g.: https://bugzilla.redhat.com/show_bug.cgi?id=1313509 https://bodhi.fedoraproject.org/updates/openssl-1.0.2g-1.fc23#comment-395291 https://forums.gentoo.org/viewtopic-p-7886940.html I believe this issue is fixed by commit 03a0e682a8 on master. In my tests, I found that it fixes offlineimap, virtualenv, and importing HTTPSHandler from urllib.request. The fix is simply to add "enable-ssl2" to the arguments passed to the OpenSSL ./config script. I concluded that this is safe based on the following excerpt from the CHANGES file: * Disable SSLv2 default build, default negotiation and weak ciphers. SSLv2 is by default disabled at build-time. Builds that are not configured with "enable-ssl2" will not support SSLv2. Even if "enable-ssl2" is used, users who want to negotiate SSLv2 via the version-flexible SSLv23_method() will need to explicitly call either of: SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); or SSL_clear_options(ssl, SSL_OP_NO_SSLv2); as appropriate. Even if either of those is used, or the application explicitly uses the version-specific SSLv2_method() or its client and server variants, SSLv2 ciphers vulnerable to exhaustive search key recovery have been removed. Specifically, the SSLv2 40-bit EXPORT ciphers, and SSLv2 56-bit DES are no longer available. (CVE-2016-0800) [Viktor Dukhovni] Note that the "enable-ssl2" option is only needed when grafting, because that's the only case where we need to preserve ABI compatibility. I've verified that 'offlineimap' works on the security-updates branch, where openssl-1.0.2g has been updated in the normal way, without grafting and without the "enable-ssl2" option. > Hopefully most grafting situations won't require this. I think that's > right? :) Yes. When grafting, we must ensure ABI compatibility. The mistake here was that the ABI of the grafted OpenSSL was different than the one it replaced. Like Fedora and Gentoo, we expected upstream to ensure that 1.0.2g was ABI compatible with 1.0.2f. I believe this was a reasonable expectation. > Is it possible to graft on top of a graft? Good question, I don't know! I guess we should test this, for the sake of robustness, but on the other hand, I don't see a practical need for this feature. In general, we can simply update the replacement package, which is what I've done in 03a0e682a8. I'm closing this bug, but feel free to re-open it if you find that problems remain. Thanks! Mark