> From: [email protected] > To: [email protected] > Sent: Monday, 15 May, 2017 11:03:47 AM > Subject: [ovs-dev] [PATCH] python ovs: Fix SSL exceptions with pyOpenSSL > v0.13 > > From: Numan Siddique <[email protected]> > > Centos provides pyOpenSSL version pyOpenSSL-0.13.1-3.el7.x86_64. > There are 2 issues using this version, which this patch fixes > > - The test case "simple idl verify notify - SSL" is skipped. > This is because "python -m OpenSSL.SSL" is used to detect the > presence of pyOpenSSL package. pyOpenSSL v0.13 has C python > modules because of which the above command returns 1. > So this patch fixes this using 'python -c "import OpenSSL.SSL"'. > > - The SSL.Context class do not the function "set_session_cache_mode" > defined. So this patch uses hasattr() to detect this function > before accessing it. > > I have not tested with older versions (< 0.13) of pyOpenSSL. > > Signed-off-by: Numan Siddique <[email protected]> > --- > python/ovs/stream.py | 7 ++++++- > tests/ovsdb-idl.at | 2 +- > 2 files changed, 7 insertions(+), 2 deletions(-) > > diff --git a/python/ovs/stream.py b/python/ovs/stream.py > index fc0368c..c037df5 100644 > --- a/python/ovs/stream.py > +++ b/python/ovs/stream.py > @@ -767,7 +767,12 @@ class SSLStream(Stream): > ctx = SSL.Context(SSL.SSLv23_METHOD) > ctx.set_verify(SSL.VERIFY_PEER, SSLStream.verify_cb) > ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3) > - ctx.set_session_cache_mode(SSL.SESS_CACHE_OFF) > + > + # 'set_session_cache_mode' attribute in SSL.Context is not present > + # in pyOpenSSL version < 0.14. So check it before accessing it. > + if hasattr(ctx, 'set_session_cache_mode'): > + ctx.set_session_cache_mode(SSL.SESS_CACHE_OFF) > +
Hi Numan, The default session cache mode is SSL_SESS_CACHE_SERVER, which only has an effect for server-side sessions (the openssl library considers the passive connection side to be the server side). But python/ovs/stream.py only supports client-side (active) SSL connections (ssl:, not pssl:), so wouldn't it make more sense to simply delete this call? Regards, Lance > # If the client has not set the SSL configuration files > # exception would be raised. > ctx.use_privatekey_file(Stream._SSL_private_key_file) > diff --git a/tests/ovsdb-idl.at b/tests/ovsdb-idl.at > index d28dfc1..4eaf87f 100644 > --- a/tests/ovsdb-idl.at > +++ b/tests/ovsdb-idl.at > @@ -1185,7 +1185,7 @@ m4_define([OVSDB_CHECK_IDL_NOTIFY_SSL_PY], > [AT_SETUP([$1 - SSL]) > AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > AT_SKIP_IF([test $HAVE_PYTHON = no]) > - $PYTHON -m OpenSSL.SSL > + $PYTHON -c "import OpenSSL.SSL" > SSL_PRESENT=$? > AT_SKIP_IF([test $SSL_PRESENT != 0]) > AT_KEYWORDS([ovsdb server idl Python notify - ssl socket]) > -- > 2.9.3 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
