Issue #1202 new

SSL not working properly with Python 3, using both pyopenssl and builtin

Anonymous created an issue

I have tested with both Python 3.2 and 3.3. I cannot get SSL to work unless I use Python 2.7.

The example code I used:

import cherrypy

class RootServer:
    def index(self, **keywords):
        return "it works!"
    index.exposed = True

if __name__ == '__main__':
    server_config={
        'server.socket_host': '0.0.0.0',
        'server.socket_port': 8080,

        'server.ssl_module':'pyopenssl',
        'server.ssl_certificate':'ssl/certificate.crt',
        'server.ssl_private_key':'server.key',
        'server.ssl_certificate_chain':'bundle.crt'
    }

    cherrypy.config.update(server_config)
    cherrypy.quickstart(RootServer())

I made sure pyopenssl is installed for Python 3.

Running the above code gives this output:

[casper@zacko ~]$ python ssl.py
[12/Jan/2013:12:08:41] ENGINE Listening for SIGTERM.
[12/Jan/2013:12:08:41] ENGINE Listening for SIGHUP.
[12/Jan/2013:12:08:41] ENGINE Listening for SIGUSR1.
[12/Jan/2013:12:08:41] ENGINE Bus STARTING
CherryPy Checker:
The Application mounted at '' has an empty config.

[12/Jan/2013:12:08:41] ENGINE Started monitor thread '_TimeoutMonitor'.
[12/Jan/2013:12:08:41] ENGINE Started monitor thread 'Autoreloader'.
[12/Jan/2013:12:08:41] ENGINE Error in 'start' listener <bound method Server.start of <cherrypy._cpserver.Server object at 0x7f28a8833410>>
Traceback (most recent call last):
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 197, in publish
    output.append(listener(*args, **kwargs))
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpserver.py", line 150, in start
    self.httpserver, self.bind_addr = self.httpserver_from_self()
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpserver.py", line 141, in httpserver_from_self
    httpserver = _cpwsgi_server.CPWSGIServer(self)
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/_cpwsgi_server.py", line 53, in __init__
    adapter_class = wsgiserver.get_ssl_adapter_class(ssl_module)
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/wsgiserver/wsgiserver3.py", line 1758, in get_ssl_adapter_class
    adapter = ssl_adapters[name.lower()]
KeyError: 'pyopenssl'

[12/Jan/2013:12:08:41] ENGINE Shutting down due to error in start listener:
Traceback (most recent call last):
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 235, in start
    self.publish('start')
  File "/usr/lib/python3.3/site-packages/CherryPy-3.2.3-py3.3.egg/cherrypy/process/wspbus.py", line 215, in publish
    raise exc
cherrypy.process.wspbus.ChannelFailures: KeyError('pyopenssl',)

If I change the SSL module to 'builtin' I get no errors. It asks for the password, but after entering it nothing happens. Each time I try to access the site in a browser it will ask for the password again.

Should I enter it incorrectly an exception is thrown, which seems like correct behavior.

Comments (8)

  1. Derek Litz

    The bug report is a bit misleading... SSL works with Python3, but you cannot specify to use 'pyopenssl' because it only supports 'builtin'.

    See line 1763 of wsgiserver3.py

  2. Florijan Hamzic

    Will this be fixed within some of the next 3.2.x versions?

    I am trying to understand the problem here, is it such a lot of effort to port the CP_fileobject part to wsgiserver3?

  3. Florijan Hamzic

    I just run into this issue again:

    here is what it makes possible to use CA certs with the builtin SSL provider

    add the following parameter to this function in ./wsgiserver/ssl_builtin.py:

    s = ssl.wrap_socket(sock, do_handshake_on_connect=True,
                                    server_side=True, certfile=self.certificate,
                                    keyfile=self.private_key,
                                    ssl_version=ssl.PROTOCOL_SSLv23,
                                    ca_certs=self.certificate_chain) <-
    
  4. Austin Steed

    Thank you Florijan! After looking in the source of ssl_builtin.py I noticed this as well, when cherrypy uses the "builtin" ssl, it simply stores the certificate_chain but doesn't actually use it.

    I'm running python 3.4 w/ cherrypy 3.6

  5. decontaminatoR

    @Florijan, yes that works, but I also add after this:

        private_key = None
        """The filename of the server's private key file."""
    

    I added this:

        certificate_chain = None
        """The filename of the certificate chain file."""
    

    Pull request: HERE

  6. Log in to comment