Message ID | 1461144174-7711-1-git-send-email-yegorslists@googlemail.com |
---|---|
State | Superseded |
Headers | show |
Hello, On Wed, 20 Apr 2016 11:22:54 +0200, yegorslists@googlemail.com wrote: > From: Yegor Yefremov <yegorslists@googlemail.com> > > Fixes #8856 Are you sure this is sufficient to fix the bug? Doesn't python-tornado also needs to select this new package when Python 2 is used? Thanks! Thomas
On Wed, Apr 20, 2016 at 11:28 AM, Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote: > Hello, > > On Wed, 20 Apr 2016 11:22:54 +0200, yegorslists@googlemail.com wrote: >> From: Yegor Yefremov <yegorslists@googlemail.com> >> >> Fixes #8856 > > Are you sure this is sufficient to fix the bug? Doesn't python-tornado > also needs to select this new package when Python 2 is used? Both Python 2 and 3 implement ssl.match_hostname(cert, hostname) [1] backports.ssl_match_hostname 3.5.0.1 introduces some enhancements made in 3.5. See its history: History ------- * This function was introduced in python-3.2 * It was updated for python-3.4a1 for a CVE (backports-ssl_match_hostname-3.4.0.1) * It was updated from RFC2818 to RFC 6125 compliance in order to fix another security flaw for python-3.3.3 and python-3.4a5 (backports-ssl_match_hostname-3.4.0.2) * It was updated in python-3.5 to handle IPAddresses in ServerAltName fields (something that backports.ssl_match_hostname will do if you also install the ipaddress library from pypi). Tornado has following logic to decide, when to import backports.ssl_match_hostname if hasattr(ssl, 'match_hostname') and hasattr(ssl, 'CertificateError'): # python 3.2+ ssl_match_hostname = ssl.match_hostname SSLCertificateError = ssl.CertificateError elif ssl is None: ssl_match_hostname = SSLCertificateError = None else: import backports.ssl_match_hostname ssl_match_hostname = backports.ssl_match_hostname.match_hostname SSLCertificateError = backports.ssl_match_hostname.CertificateError So if the user wants to use ssl.match_hostname, he must select Python's SSL support. Turns out, that this package can be used only, if the user imports it directly. [1] https://docs.python.org/2.7/library/ssl.html
Hi Charles, On Wed, Apr 20, 2016 at 6:44 PM, Charles Hardin <ckhardin@exablox.com> wrote: > Yes - I think I just selected it out of laziness because we don’t run > different > python versions and only use python 2.7 Could you perform following test? 1. disable backports.ssl_match_hostname 2. enable SSL support in Python, python-tornado and python-cerifi 3. make clean && make Is your application functioning without backports.ssl_match_hostname? Thanks. Yegor > On Apr 20, 2016, at 2:58 AM, Yegor Yefremov <yegorslists@googlemail.com> > wrote: > > On Wed, Apr 20, 2016 at 11:28 AM, Thomas Petazzoni > <thomas.petazzoni@free-electrons.com> wrote: > > Hello, > > On Wed, 20 Apr 2016 11:22:54 +0200, yegorslists@googlemail.com wrote: > > From: Yegor Yefremov <yegorslists@googlemail.com> > > Fixes #8856 > > > Are you sure this is sufficient to fix the bug? Doesn't python-tornado > also needs to select this new package when Python 2 is used? > > > Both Python 2 and 3 implement ssl.match_hostname(cert, hostname) [1] > > backports.ssl_match_hostname 3.5.0.1 introduces some enhancements made > in 3.5. See its history: > > History > ------- > > * This function was introduced in python-3.2 > * It was updated for python-3.4a1 for a CVE > (backports-ssl_match_hostname-3.4.0.1) > * It was updated from RFC2818 to RFC 6125 compliance in order to fix another > security flaw for python-3.3.3 and python-3.4a5 > (backports-ssl_match_hostname-3.4.0.2) > * It was updated in python-3.5 to handle IPAddresses in ServerAltName fields > (something that backports.ssl_match_hostname will do if you also install the > ipaddress library from pypi). > > Tornado has following logic to decide, when to import > backports.ssl_match_hostname > > if hasattr(ssl, 'match_hostname') and hasattr(ssl, > 'CertificateError'): # python 3.2+ > ssl_match_hostname = ssl.match_hostname > SSLCertificateError = ssl.CertificateError > elif ssl is None: > ssl_match_hostname = SSLCertificateError = None > else: > import backports.ssl_match_hostname > ssl_match_hostname = backports.ssl_match_hostname.match_hostname > SSLCertificateError = backports.ssl_match_hostname.CertificateError > > So if the user wants to use ssl.match_hostname, he must select > Python's SSL support. > > Turns out, that this package can be used only, if the user imports it > directly. > > [1] https://docs.python.org/2.7/library/ssl.html > > > -- > Bits go in, bytes go out. >
Hi Charles, On Wed, Apr 20, 2016 at 11:38 PM, Charles Hardin <ckhardin@exablox.com> wrote: > Btw - it is circus that uses tornado Could you send a patch adding circus to Buildroot? See [1] for submitting patches instructions. circus runs a deamon, but also provides an API, so I would add this as an ordinary Python package. [1] http://nightly.buildroot.org/manual.html#submitting-patches Yegor > Sent from my iPad > >> On Apr 20, 2016, at 1:27 PM, Yegor Yefremov <yegorslists@googlemail.com> wrote: >> >> Hi Charles, >> >>> On Wed, Apr 20, 2016 at 6:44 PM, Charles Hardin <ckhardin@exablox.com> wrote: >>> Yes - I think I just selected it out of laziness because we don’t run >>> different >>> python versions and only use python 2.7 >> >> Could you perform following test? >> >> 1. disable backports.ssl_match_hostname >> 2. enable SSL support in Python, python-tornado and python-cerifi >> 3. make clean && make >> >> Is your application functioning without backports.ssl_match_hostname? >> >> Thanks. >> >> Yegor >> >>> On Apr 20, 2016, at 2:58 AM, Yegor Yefremov <yegorslists@googlemail.com> >>> wrote: >>> >>> On Wed, Apr 20, 2016 at 11:28 AM, Thomas Petazzoni >>> <thomas.petazzoni@free-electrons.com> wrote: >>> >>> Hello, >>> >>> On Wed, 20 Apr 2016 11:22:54 +0200, yegorslists@googlemail.com wrote: >>> >>> From: Yegor Yefremov <yegorslists@googlemail.com> >>> >>> Fixes #8856 >>> >>> >>> Are you sure this is sufficient to fix the bug? Doesn't python-tornado >>> also needs to select this new package when Python 2 is used? >>> >>> >>> Both Python 2 and 3 implement ssl.match_hostname(cert, hostname) [1] >>> >>> backports.ssl_match_hostname 3.5.0.1 introduces some enhancements made >>> in 3.5. See its history: >>> >>> History >>> ------- >>> >>> * This function was introduced in python-3.2 >>> * It was updated for python-3.4a1 for a CVE >>> (backports-ssl_match_hostname-3.4.0.1) >>> * It was updated from RFC2818 to RFC 6125 compliance in order to fix another >>> security flaw for python-3.3.3 and python-3.4a5 >>> (backports-ssl_match_hostname-3.4.0.2) >>> * It was updated in python-3.5 to handle IPAddresses in ServerAltName fields >>> (something that backports.ssl_match_hostname will do if you also install the >>> ipaddress library from pypi). >>> >>> Tornado has following logic to decide, when to import >>> backports.ssl_match_hostname >>> >>> if hasattr(ssl, 'match_hostname') and hasattr(ssl, >>> 'CertificateError'): # python 3.2+ >>> ssl_match_hostname = ssl.match_hostname >>> SSLCertificateError = ssl.CertificateError >>> elif ssl is None: >>> ssl_match_hostname = SSLCertificateError = None >>> else: >>> import backports.ssl_match_hostname >>> ssl_match_hostname = backports.ssl_match_hostname.match_hostname >>> SSLCertificateError = backports.ssl_match_hostname.CertificateError >>> >>> So if the user wants to use ssl.match_hostname, he must select >>> Python's SSL support. >>> >>> Turns out, that this package can be used only, if the user imports it >>> directly. >>> >>> [1] https://docs.python.org/2.7/library/ssl.html >>> >>> >>> -- >>> Bits go in, bytes go out. >>>
On 04/20/16 11:22, yegorslists@googlemail.com wrote: > From: Yegor Yefremov<yegorslists@googlemail.com> > > Fixes #8856 > > Signed-off-by: Yegor Yefremov<yegorslists@googlemail.com> > --- > package/Config.in | 1 + > package/python-backports-ssl-match-hostname/Config.in | 6 ++++++ > .../python-backports-ssl-match-hostname.hash | 4 ++++ > .../python-backports-ssl-match-hostname.mk | 14 ++++++++++++++ > 4 files changed, 25 insertions(+) > create mode 100644 package/python-backports-ssl-match-hostname/Config.in > create mode 100644 package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.hash > create mode 100644 package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.mk > > diff --git a/package/Config.in b/package/Config.in > index ecaf164..3b5e66e 100644 > --- a/package/Config.in > +++ b/package/Config.in > @@ -630,6 +630,7 @@ menu "External python modules" > source "package/python-alsaaudio/Config.in" > source "package/python-autobahn/Config.in" > source "package/python-backports-abc/Config.in" > + source "package/python-backports-ssl-match-hostname/Config.in" > source "package/python-beautifulsoup4/Config.in" > source "package/python-bottle/Config.in" > source "package/python-can/Config.in" > diff --git a/package/python-backports-ssl-match-hostname/Config.in b/package/python-backports-ssl-match-hostname/Config.in > new file mode 100644 > index 0000000..36399bb > --- /dev/null > +++ b/package/python-backports-ssl-match-hostname/Config.in > @@ -0,0 +1,6 @@ > +config BR2_PACKAGE_PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME > + bool "python-backports-ssl-match-hostname" Smell likes this should depends on BR2_PACKAGE_PYTHON no? Doesn't make much sense to backport this function to Python 3.6 :-) Regards, Arnout > + help > + The ssl.match_hostname() function from Python 3.5. > + > + http://bitbucket.org/brandon/backports.ssl_match_hostname [snip]
On Thu, Apr 21, 2016 at 9:36 PM, Arnout Vandecappelle <arnout@mind.be> wrote: > On 04/20/16 11:22, yegorslists@googlemail.com wrote: >> >> From: Yegor Yefremov<yegorslists@googlemail.com> >> >> Fixes #8856 >> >> Signed-off-by: Yegor Yefremov<yegorslists@googlemail.com> >> --- >> package/Config.in | 1 + >> package/python-backports-ssl-match-hostname/Config.in | 6 ++++++ >> .../python-backports-ssl-match-hostname.hash | 4 ++++ >> .../python-backports-ssl-match-hostname.mk | 14 >> ++++++++++++++ >> 4 files changed, 25 insertions(+) >> create mode 100644 package/python-backports-ssl-match-hostname/Config.in >> create mode 100644 >> package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.hash >> create mode 100644 >> package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.mk >> >> diff --git a/package/Config.in b/package/Config.in >> index ecaf164..3b5e66e 100644 >> --- a/package/Config.in >> +++ b/package/Config.in >> @@ -630,6 +630,7 @@ menu "External python modules" >> source "package/python-alsaaudio/Config.in" >> source "package/python-autobahn/Config.in" >> source "package/python-backports-abc/Config.in" >> + source "package/python-backports-ssl-match-hostname/Config.in" >> source "package/python-beautifulsoup4/Config.in" >> source "package/python-bottle/Config.in" >> source "package/python-can/Config.in" >> diff --git a/package/python-backports-ssl-match-hostname/Config.in >> b/package/python-backports-ssl-match-hostname/Config.in >> new file mode 100644 >> index 0000000..36399bb >> --- /dev/null >> +++ b/package/python-backports-ssl-match-hostname/Config.in >> @@ -0,0 +1,6 @@ >> +config BR2_PACKAGE_PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME >> + bool "python-backports-ssl-match-hostname" > > > Smell likes this should > depends on BR2_PACKAGE_PYTHON > no? Doesn't make much sense to backport this function to Python 3.6 :-) No. We still have Python 3.4.x The most interesting goody about about 3.5 ssl-match-hostname is support for IP addresses or something like this, that uses "import ipaddress", so it would make sense to select this package for Python 2.7. Yegor >> + help >> + The ssl.match_hostname() function from Python 3.5. >> + >> + http://bitbucket.org/brandon/backports.ssl_match_hostname > > [snip] > > -- > Arnout Vandecappelle arnout at mind be > Senior Embedded Software Architect +32-16-286500 > Essensium/Mind http://www.mind.be > G.Geenslaan 9, 3001 Leuven, Belgium BE 872 984 063 RPR Leuven > LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle > GPG fingerprint: 7493 020B C7E3 8618 8DEC 222C 82EB F404 F9AC 0DDF
On 04/21/16 23:18, Yegor Yefremov wrote: > On Thu, Apr 21, 2016 at 9:36 PM, Arnout Vandecappelle <arnout@mind.be> wrote: >> On 04/20/16 11:22, yegorslists@googlemail.com wrote: >>> >>> From: Yegor Yefremov<yegorslists@googlemail.com> >>> >>> Fixes #8856 >>> >>> Signed-off-by: Yegor Yefremov<yegorslists@googlemail.com> >>> --- >>> package/Config.in | 1 + >>> package/python-backports-ssl-match-hostname/Config.in | 6 ++++++ >>> .../python-backports-ssl-match-hostname.hash | 4 ++++ >>> .../python-backports-ssl-match-hostname.mk | 14 >>> ++++++++++++++ >>> 4 files changed, 25 insertions(+) >>> create mode 100644 package/python-backports-ssl-match-hostname/Config.in >>> create mode 100644 >>> package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.hash >>> create mode 100644 >>> package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.mk >>> >>> diff --git a/package/Config.in b/package/Config.in >>> index ecaf164..3b5e66e 100644 >>> --- a/package/Config.in >>> +++ b/package/Config.in >>> @@ -630,6 +630,7 @@ menu "External python modules" >>> source "package/python-alsaaudio/Config.in" >>> source "package/python-autobahn/Config.in" >>> source "package/python-backports-abc/Config.in" >>> + source "package/python-backports-ssl-match-hostname/Config.in" >>> source "package/python-beautifulsoup4/Config.in" >>> source "package/python-bottle/Config.in" >>> source "package/python-can/Config.in" >>> diff --git a/package/python-backports-ssl-match-hostname/Config.in >>> b/package/python-backports-ssl-match-hostname/Config.in >>> new file mode 100644 >>> index 0000000..36399bb >>> --- /dev/null >>> +++ b/package/python-backports-ssl-match-hostname/Config.in >>> @@ -0,0 +1,6 @@ >>> +config BR2_PACKAGE_PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME >>> + bool "python-backports-ssl-match-hostname" >> >> >> Smell likes this should >> depends on BR2_PACKAGE_PYTHON >> no? Doesn't make much sense to backport this function to Python 3.6 :-) > > No. We still have Python 3.4.x Oh, I thought Thomas bumped it... Looks like that patch hasn't been applied yet. Regards, Arnout > > The most interesting goody about about 3.5 ssl-match-hostname is > support for IP addresses or something like this, that uses "import > ipaddress", so it would make sense to select this package for Python > 2.7. [snip]
On Fri, Apr 22, 2016 at 1:06 AM, Arnout Vandecappelle <arnout@mind.be> wrote: > > > On 04/21/16 23:18, Yegor Yefremov wrote: >> >> On Thu, Apr 21, 2016 at 9:36 PM, Arnout Vandecappelle <arnout@mind.be> >> wrote: >>> >>> On 04/20/16 11:22, yegorslists@googlemail.com wrote: >>>> >>>> >>>> From: Yegor Yefremov<yegorslists@googlemail.com> >>>> >>>> Fixes #8856 >>>> >>>> Signed-off-by: Yegor Yefremov<yegorslists@googlemail.com> >>>> --- >>>> package/Config.in | 1 + >>>> package/python-backports-ssl-match-hostname/Config.in | 6 >>>> ++++++ >>>> .../python-backports-ssl-match-hostname.hash | 4 ++++ >>>> .../python-backports-ssl-match-hostname.mk | 14 >>>> ++++++++++++++ >>>> 4 files changed, 25 insertions(+) >>>> create mode 100644 >>>> package/python-backports-ssl-match-hostname/Config.in >>>> create mode 100644 >>>> >>>> package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.hash >>>> create mode 100644 >>>> >>>> package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.mk >>>> >>>> diff --git a/package/Config.in b/package/Config.in >>>> index ecaf164..3b5e66e 100644 >>>> --- a/package/Config.in >>>> +++ b/package/Config.in >>>> @@ -630,6 +630,7 @@ menu "External python modules" >>>> source "package/python-alsaaudio/Config.in" >>>> source "package/python-autobahn/Config.in" >>>> source "package/python-backports-abc/Config.in" >>>> + source "package/python-backports-ssl-match-hostname/Config.in" >>>> source "package/python-beautifulsoup4/Config.in" >>>> source "package/python-bottle/Config.in" >>>> source "package/python-can/Config.in" >>>> diff --git a/package/python-backports-ssl-match-hostname/Config.in >>>> b/package/python-backports-ssl-match-hostname/Config.in >>>> new file mode 100644 >>>> index 0000000..36399bb >>>> --- /dev/null >>>> +++ b/package/python-backports-ssl-match-hostname/Config.in >>>> @@ -0,0 +1,6 @@ >>>> +config BR2_PACKAGE_PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME >>>> + bool "python-backports-ssl-match-hostname" >>> >>> >>> >>> Smell likes this should >>> depends on BR2_PACKAGE_PYTHON >>> no? Doesn't make much sense to backport this function to Python 3.6 :-) >> >> >> No. We still have Python 3.4.x > > > Oh, I thought Thomas bumped it... Looks like that patch hasn't been applied > yet. > > Regards, > Arnout > >> >> The most interesting goody about about 3.5 ssl-match-hostname is >> support for IP addresses or something like this, that uses "import >> ipaddress", so it would make sense to select this package for Python >> 2.7. I've installed circus myself and now I understand the problem. circusd uses following code: #!/usr/bin/python # EASY-INSTALL-ENTRY-SCRIPT: 'circus==0.13.0','console_scripts','circusd' __requires__ = 'circus==0.13.0' import sys from pkg_resources import load_entry_point if __name__ == '__main__': sys.exit( load_entry_point('circus==0.13.0', 'console_scripts', 'circusd')() ) This code checks package requirements of all needed Python packages at run-time. Tornado itself is working without backports.ssl-* package (just enabling PYTHON SSH support is sufficient). In Python 3.4 there are no problems, as backports.ssl-* is required only for Python < 3.2 (tornado's setup.py). My suggestion is to enable BR2_PACKAGE_PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME for Python2 only and enable both it and certify when selecting tornado. What do you think about this? Yegor
On 04/22/16 12:48, Yegor Yefremov wrote: > My suggestion is to enable > BR2_PACKAGE_PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME for Python2 only and > enable both it and certify when selecting tornado. What do you think > about this? Sounds good to me. Do add an explanatory comment why these two additional packages are required, because the casual reader will not understand. Regards, Arnout
diff --git a/package/Config.in b/package/Config.in index ecaf164..3b5e66e 100644 --- a/package/Config.in +++ b/package/Config.in @@ -630,6 +630,7 @@ menu "External python modules" source "package/python-alsaaudio/Config.in" source "package/python-autobahn/Config.in" source "package/python-backports-abc/Config.in" + source "package/python-backports-ssl-match-hostname/Config.in" source "package/python-beautifulsoup4/Config.in" source "package/python-bottle/Config.in" source "package/python-can/Config.in" diff --git a/package/python-backports-ssl-match-hostname/Config.in b/package/python-backports-ssl-match-hostname/Config.in new file mode 100644 index 0000000..36399bb --- /dev/null +++ b/package/python-backports-ssl-match-hostname/Config.in @@ -0,0 +1,6 @@ +config BR2_PACKAGE_PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME + bool "python-backports-ssl-match-hostname" + help + The ssl.match_hostname() function from Python 3.5. + + http://bitbucket.org/brandon/backports.ssl_match_hostname diff --git a/package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.hash b/package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.hash new file mode 100644 index 0000000..8313d96 --- /dev/null +++ b/package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.hash @@ -0,0 +1,4 @@ +# md5 from https://pypi.python.org/pypi/backports.ssl_match_hostname/json +md5 c03fc5e2c7b3da46b81acf5cbacfe1e6 backports.ssl_match_hostname-3.5.0.1.tar.gz +# sha256 calculated by scanpypi +sha256 502ad98707319f4a51fa2ca1c677bd659008d27ded9f6380c79e8932e38dcdf2 backports.ssl_match_hostname-3.5.0.1.tar.gz diff --git a/package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.mk b/package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.mk new file mode 100644 index 0000000..6848dd2 --- /dev/null +++ b/package/python-backports-ssl-match-hostname/python-backports-ssl-match-hostname.mk @@ -0,0 +1,14 @@ +################################################################################ +# +# python-backports-ssl-match-hostname +# +################################################################################ + +PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME_VERSION = 3.5.0.1 +PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME_SOURCE = backports.ssl_match_hostname-$(PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME_VERSION).tar.gz +PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME_SITE = https://pypi.python.org/packages/source/b/backports.ssl_match_hostname +PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME_SETUP_TYPE = distutils +PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME_LICENSE = Python Software Foundation License v2 +PYTHON_BACKPORTS_SSL_MATCH_HOSTNAME_LICENSE_FILES = backports/ssl_match_hostname/LICENSE.txt + +$(eval $(python-package))