python-jujuclient

ssl handshake fails on osx

Bug #1323803 reported by Richard Harding
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju-deployer
Fix Released
Undecided
Unassigned
juju-deployer 0.4.0
juju-quickstart
Fix Released
High
Brad Crittenden
python-jujuclient
Fix Released
Undecided
Brad Crittenden

Bug Description

Deployer fails to talk to a OSX bootstrapped environment. In searching around the error this is related to the SSL2 vs SSL3 handshake. See https://github.com/jmhodges/howsmyssl/issues/3

I tested to see if updating the version of the websocket library to the latest 0.14.1 but still had the failure. We'll have to investigate ways of handling the SSL handshake to force SSL3.

$ juju-deployer -c bundles.yaml

2014-05-27 15:12:42 Using deployment charmworld-demo
2014-05-27 15:12:42 Starting deployment of charmworld-demo
Traceback (most recent call last):
  File "/Users/rharding/tmp/demo/bin/juju-deployer", line 9, in <module>
    load_entry_point('juju-deployer==0.3.8', 'console_scripts', 'juju-deployer')()
  File "/Users/rharding/tmp/demo/lib/python2.7/site-packages/deployer/cli.py", line 127, in main
    run()
  File "/Users/rharding/tmp/demo/lib/python2.7/site-packages/deployer/cli.py", line 225, in run
    importer.Importer(env, deployment, options).run()
  File "/Users/rharding/tmp/demo/lib/python2.7/site-packages/deployer/action/importer.py", line 182, in run
    self.env.connect()
  File "/Users/rharding/tmp/demo/lib/python2.7/site-packages/deployer/env/go.py", line 72, in connect
    self.client = EnvironmentClient(self.api_endpoint)
  File "/Users/rharding/tmp/demo/lib/python2.7/site-packages/jujuclient.py", line 311, in __init__
    endpoint, origin=self.endpoint)
  File "/Users/rharding/tmp/demo/lib/python2.7/site-packages/websocket/__init__.py", line 227, in create_connection
    websock.connect(url, **options)
  File "/Users/rharding/tmp/demo/lib/python2.7/site-packages/websocket/__init__.py", line 522, in connect
    self.sock = ssl.wrap_socket(self.sock, **sslopt)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 387, in wrap_socket
    ciphers=ciphers)
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 143, in __init__
    self.do_handshake()
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:504: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

Related branches

lp://staging/~bac/juju-quickstart/ssl-issue
Juju GUI Hackers: Pending requested
Diff: 41 lines (+6/-2)
2 files modified
quickstart/juju.py (+3/-1)
quickstart/tests/test_juju.py (+3/-1)
lp://staging/~bac/python-jujuclient/tls
Kapil Thangavelu: Approve
Diff: 121 lines (+47/-13)
3 files modified
HACKING.rst (+22/-0)
jujuclient.py (+6/-6)
test_jujuclient.py (+19/-7)
Revision history for this message
Kapil Thangavelu (hazmat) wrote :

really a jujuclient library issue

Revision history for this message
Kapil Thangavelu (hazmat) wrote :

properly this is a juju core issue

<rick_h_> hazmat: hmm, latest? /me checks
<rick_h_> 10.9.3
<rick_h_> hazmat: and the openssl version matched the linked url discussion
<hazmat> rick_h_, so this is an osx and python issue.
* mbruzek (~mbruzek@24-179-244-13.dhcp.roch.mn.charter.com) has joined #juju-gui
<rick_h_> hazmat: yes
<rick_h_> hazmat: and webcocket library issue perhaps
<rick_h_> hazmat: I chased it down enough to get close but filed a bug from there. Was trying to help that stein guy get notes on doing his demo stuff from osx and it's more work than I've got time for before I leave tomorrow
<hazmat> rick_h_, no.. its deeper than that
<rick_h_> hazmat: I've added it to our board to look into as we'll hit this with our current work to make juju-quickstart work on osx
<rick_h_> hazmat: right, but it sounds like there might be config/ways to enforce ssl3 at handshake?
<rick_h_> and skip ssl2
<hazmat> rick_h_, its an libssl issue.. the best fix we can do without modifying python or osx version of ssl
<hazmat> is to change the server to only do ssl3 or tlsv1

<rick_h_> hazmat: cool, yea I'm not sure if there's a decent work around for the client or it requires server changes. I figure we can't be the first to hit this stuff (and a google search proves we're not)
<hazmat> rick_h_, there is no workaround for the client
<hazmat> without changing python versions, patching py2.7, bundling a new libssl

Francesco Banconi (frankban)
Changed in juju-quickstart:
status: New → Triaged
importance: Undecided → High
Brad Crittenden (bac)
Changed in juju-quickstart:
assignee: nobody → Brad Crittenden (bac)
status: Triaged → In Progress
Brad Crittenden (bac)
Changed in juju-quickstart:
status: In Progress → Fix Committed
Revision history for this message
Brad Crittenden (bac) wrote :

juju-quickstart was fixed by explicitly setting the ssl_version when the web socket is created.

    connection = WebSocketConnection(
        sslopt={'ssl_version': ssl.PROTOCOL_TLSv1})

Revision history for this message
Brad Crittenden (bac) wrote :

juju-client can be similarly updated to force the use of TLS via the (undocumented) sslopt option:
https://github.com/liris/websocket-client/blob/v0.12.0/websocket.py#L198

Richard Harding (rharding)
Changed in juju-quickstart:
status: Fix Committed → Fix Released
Brad Crittenden (bac)
Changed in python-jujuclient:
assignee: nobody → Brad Crittenden (bac)
status: New → In Progress
Kapil Thangavelu (hazmat)
Changed in juju-deployer:
status: New → Fix Committed
Kapil Thangavelu (hazmat)
Changed in python-jujuclient:
status: In Progress → Fix Released
Changed in juju-deployer:
milestone: none → 0.4.0
Kapil Thangavelu (hazmat)
Changed in juju-deployer:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.