Re: Attempted to switch my server to HTTPS, and rbt setup-repo reports SSLV3_ALERT_HANDSHAKE_FAILURE

[Christian Hammond]

Hi Eric,

rbt does have a debug option: --debug. It just won't help for the SSL info,
as Python (which is responsible for the SSL usage) doesn't log anything
about it.

As for installation, let me provide an overview of how these various
methods install packages.

The RBTools.pkg we provide is solely intended for the standard case of
wanting to use a system Python. It's not designed for using an alternate
install, nor is it able to without hand modifications. We install the
packages in a standard Python environment for MacOS X, so the files are all
generated with those paths in mind. Since you're doing something more
specialized, this isn't the option for you.

When installing with pip/easy_install, the package management backend looks
at the list of scripts we want installed, and generates them. In our case,
this is "rbt". That generated script is tied to a build of Python and a
build of RBTools, and it's up to the package installation code to decide on
the contents.

The build of Python it chooses is the one it's running under.
pip/easy_install are actually generated scripts installed the same way. So,
if it's setting the wrong Python in our rbt script, it's because it's
running under the system Python and not the one you've installed yourself.
What you'd want to do is reinstall pip/setuptools under the appropriate
version. Both have docs somewhere on how to bootstrap under your desired
Python.

All this behavior is standard in the Python world.

I think the problem is environmental. Even though the MacPorts Python is
installed, you're not using it for package installation, and therefore not
using it for any scripts installed by the package managers. Using a modern
pip/easy_install built for your Python would solve this.

Also worth noting that it's not enough to change the paths in the scripts.
It may seem to cause the problem, but you'd be introducing some other more
subtle version conflict or metadata lookup issues.

Christian


On Saturday, September 10, 2016, 'Eric Johnson' via reviewboard <
reviewboard@googlegroups.com> wrote:

> Thanks so much for the reply
>
> On Sat, Sep 10, 2016 at 2:14 AM, Christian Hammond <
> christ...@beanbaginc.com
> > wrote:
>
>> Hi Eric,
>>
>> RBTools itself isn't handling SSL/TLS, and has no awareness of the
>> various protocols/ciphers. We use Python's urllib2 to establish the
>> connections, and that's going through the ssl module. I don't have a good
>> answer on next steps here, but it's not an issue that'll be specific to
>> RBTools or will involve our codebase, most likely.
>>
>
> At least as far as "rbt" is concerned, a "verbose" option, or a
> "debug" option might be useful. For example, when rbt is using ssl, what
> version of OPENSSL is getting invoked?
>
> In any case, I did get a bunch further with this. I failed to note a
> critical piece of information in my original post - I'm running on a Mac
> (10.11.X).
>
> There seem to be three scenarios:
>
>- Install ReviewBoard from the RBTools.pkg
>- Install ReviewBoard using easy_install or pip.
>- Install ReviewBoard from a package manager (MacPorts)
>
> The three different scenarios play out as follows:
>
> Install from RBTools.pkg - this installs an "rbt" shell item in
> /usr/local/bin, puts RBTools in the site-packages folder for the
> OS-installed versions of Python (2.6 & 2.7) and puts a shebang (#!) line at
> the beginning that binds to one of the OS installed versions (2.6, for me).
> These installs do not pick up alternate versions of installed software,
> such as MacPorts or HomeBrew.
>
> Install from easy_install - installs rbt to the OS's version of Python.
> Again, ignores MacPorts & HomeBrew. When I installed via pip, this didn't
> create a shell "rbt" install in my MacPorts "bin" folder (/opt/local/bin).
>
> Currently MacPorts is behind by a few versions (0.4.3).
>
> Unfortunately, when the install binds to one of the OS versions of Python,
> it ends up using the OS provided version of OpenSSL. According to one of my
> co-workers, Apple is no longer supporting openssl, so it won't be
> progressing past 0.9.8. That version of openssl is stuck at TLS 1 support.
>
> Conclusions:
>
>- This seems to be an Apple bug - anything that installs and uses the
>OS available versions of Python will be hamstrung to using an older and
>less secure version of the "ssl" package, due to its implementation calling
>out to older branches of openssl.
>- This could possibly be an RBTools install issue - would be nice if
>the installer could detect alternate Pythons on the machine (HomeBrew /
>MacPorts), and install with those versions of Python rather than the system
>packages
>- Possibly a problem with the pip install? When I did the pip install,
>that did not generate an "rbt" shell script in the right place. Obviously,
>I can make my own script to call it, but still annoying.
>- This could 

Re: RBTools Ticket #4024: local variable 'is_rr_approved' referenced before assignment

[Barret Rennie]

--
To reply, visit https://hellosplat.com/s/beanbag/tickets/4024/
--

New update by pprkut
For Beanbag, Inc. > RBTools > Ticket #4024


Assigned to:
+ rswanson

-- 
You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard-issues+unsubscr...@googlegroups.com.
To post to this group, send email to reviewboard-issues@googlegroups.com.
Visit this group at https://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/d/optout.

Re: RBTools Ticket #4024: local variable 'is_rr_approved' referenced before assignment

[Ryan Swanson]

--
To reply, visit https://hellosplat.com/s/beanbag/tickets/4024/
--

New update by pprkut
For Beanbag, Inc. > RBTools > Ticket #4024


Reply:

I'd like to take this on.

-- 
You received this message because you are subscribed to the Google Groups 
"reviewboard-issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard-issues+unsubscr...@googlegroups.com.
To post to this group, send email to reviewboard-issues@googlegroups.com.
Visit this group at https://groups.google.com/group/reviewboard-issues.
For more options, visit https://groups.google.com/d/optout.

Re: Attempted to switch my server to HTTPS, and rbt setup-repo reports SSLV3_ALERT_HANDSHAKE_FAILURE

['Eric Johnson' via reviewboard]

Thanks so much for the reply

On Sat, Sep 10, 2016 at 2:14 AM, Christian Hammond  wrote:

> Hi Eric,
>
> RBTools itself isn't handling SSL/TLS, and has no awareness of the various
> protocols/ciphers. We use Python's urllib2 to establish the connections,
> and that's going through the ssl module. I don't have a good answer on next
> steps here, but it's not an issue that'll be specific to RBTools or will
> involve our codebase, most likely.
>

At least as far as "rbt" is concerned, a "verbose" option, or a
"debug" option might be useful. For example, when rbt is using ssl, what
version of OPENSSL is getting invoked?

In any case, I did get a bunch further with this. I failed to note a
critical piece of information in my original post - I'm running on a Mac
(10.11.X).

There seem to be three scenarios:

   - Install ReviewBoard from the RBTools.pkg
   - Install ReviewBoard using easy_install or pip.
   - Install ReviewBoard from a package manager (MacPorts)

The three different scenarios play out as follows:

Install from RBTools.pkg - this installs an "rbt" shell item in
/usr/local/bin, puts RBTools in the site-packages folder for the
OS-installed versions of Python (2.6 & 2.7) and puts a shebang (#!) line at
the beginning that binds to one of the OS installed versions (2.6, for me).
These installs do not pick up alternate versions of installed software,
such as MacPorts or HomeBrew.

Install from easy_install - installs rbt to the OS's version of Python.
Again, ignores MacPorts & HomeBrew. When I installed via pip, this didn't
create a shell "rbt" install in my MacPorts "bin" folder (/opt/local/bin).

Currently MacPorts is behind by a few versions (0.4.3).

Unfortunately, when the install binds to one of the OS versions of Python,
it ends up using the OS provided version of OpenSSL. According to one of my
co-workers, Apple is no longer supporting openssl, so it won't be
progressing past 0.9.8. That version of openssl is stuck at TLS 1 support.

Conclusions:

   - This seems to be an Apple bug - anything that installs and uses the OS
   available versions of Python will be hamstrung to using an older and less
   secure version of the "ssl" package, due to its implementation calling out
   to older branches of openssl.
   - This could possibly be an RBTools install issue - would be nice if the
   installer could detect alternate Pythons on the machine (HomeBrew /
   MacPorts), and install with those versions of Python rather than the system
   packages
   - Possibly a problem with the pip install? When I did the pip install,
   that did not generate an "rbt" shell script in the right place. Obviously,
   I can make my own script to call it, but still annoying.
   - This could possibly be an issue with MacPorts - perhaps I can submit a
   package to update RBTools MacPorts implementation.

Annoying and complicated issue. Thanks for your response.

Eric.


>
> Christian
>
>
> On Friday, September 9, 2016, eric via reviewboard <
> reviewboard@googlegroups.com> wrote:
>
>> Some follow-on information.
>>
>> I grabbed my Apache configuration for the server from
>> https://mozilla.github.io/server-side-tls/ssl-config-generator/
>> Initially, I tried the "Modern" configuration.
>>
>> When I switch to the "Intermediate" configuration, it starts working.
>>
>> I updated my logging on the server to track which protocol & cipher are
>> being used, and I see this when I connect from the browser:
>>
>> TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
>>
>> (That's good)
>>
>>
>> ... but I see this if I run "rbt setup-repo" or "rbt post"
>>
>> TLSv1 DHE-RSA-AES128-SHA
>>
>>
>> Why is it that rbt uses the older protocol & cipher? I've been advised to
>> go run wireshark, and maybe that will provide more insight.
>>
>>
>> Eric.
>>
>>
>>
>> On Friday, September 9, 2016 at 10:02:28 AM UTC-7, er...@tibco.com wrote:
>>>
>>> The specific, full message is this:
>>>
>>> ERROR: Could not reach the Review Board server at : SSL:
>>> SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)
>>>
>>>
>>> This is not a self-signed certificate. My web browsers all work fine
>>> when I connect to the site. When I do this:
>>>
>>>
>>> > python
>>>
>>> > import ssl
>>>
>>> > ssl.OPENSSL_VERSION
>>>
>>> >>> 'OpenSSL 1.0.2h  3 May 2016'
>>>
>>>
>>> I'm sort of at a loss for how to troubleshoot this. I turn on all the
>>> debugging and logging I can on the server, and I'm not seeing any
>>> additional information.
>>>
>>>
>>> It doesn't look like rbt setup-repo takes any "verbose" options that
>>> will clarify the problem.
>>>
>>>
>>> Suggestions?
>>>
>>>
>>> Thanks!
>>>
>>>
>>> Eric.
>>>
>> --
>> Supercharge your Review Board with Power Pack:
>> https://www.reviewboard.org/powerpack/
>> Want us to host Review Board for you? Check out RBCommons:
>> https://rbcommons.com/
>> Happy user? Let us know! https://www.reviewboard.org/users/
>> ---
>> You received this message because you are subscribed 

Re: Attempted to switch my server to HTTPS, and rbt setup-repo reports SSLV3_ALERT_HANDSHAKE_FAILURE

[Christian Hammond]

Hi Eric,

RBTools itself isn't handling SSL/TLS, and has no awareness of the various
protocols/ciphers. We use Python's urllib2 to establish the connections,
and that's going through the ssl module. I don't have a good answer on next
steps here, but it's not an issue that'll be specific to RBTools or will
involve our codebase, most likely.

Christian


On Friday, September 9, 2016, eric via reviewboard <
reviewboard@googlegroups.com> wrote:

> Some follow-on information.
>
> I grabbed my Apache configuration for the server from
> https://mozilla.github.io/server-side-tls/ssl-config-generator/
> Initially, I tried the "Modern" configuration.
>
> When I switch to the "Intermediate" configuration, it starts working.
>
> I updated my logging on the server to track which protocol & cipher are
> being used, and I see this when I connect from the browser:
>
> TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256
>
> (That's good)
>
>
> ... but I see this if I run "rbt setup-repo" or "rbt post"
>
> TLSv1 DHE-RSA-AES128-SHA
>
>
> Why is it that rbt uses the older protocol & cipher? I've been advised to
> go run wireshark, and maybe that will provide more insight.
>
>
> Eric.
>
>
>
> On Friday, September 9, 2016 at 10:02:28 AM UTC-7, er...@tibco.com
>  wrote:
>>
>> The specific, full message is this:
>>
>> ERROR: Could not reach the Review Board server at : SSL:
>> SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)
>>
>>
>> This is not a self-signed certificate. My web browsers all work fine when
>> I connect to the site. When I do this:
>>
>>
>> > python
>>
>> > import ssl
>>
>> > ssl.OPENSSL_VERSION
>>
>> >>> 'OpenSSL 1.0.2h  3 May 2016'
>>
>>
>> I'm sort of at a loss for how to troubleshoot this. I turn on all the
>> debugging and logging I can on the server, and I'm not seeing any
>> additional information.
>>
>>
>> It doesn't look like rbt setup-repo takes any "verbose" options that will
>> clarify the problem.
>>
>>
>> Suggestions?
>>
>>
>> Thanks!
>>
>>
>> Eric.
>>
> --
> Supercharge your Review Board with Power Pack:
> https://www.reviewboard.org/powerpack/
> Want us to host Review Board for you? Check out RBCommons:
> https://rbcommons.com/
> Happy user? Let us know! https://www.reviewboard.org/users/
> ---
> You received this message because you are subscribed to the Google Groups
> "reviewboard" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to reviewboard+unsubscr...@googlegroups.com
> 
> .
> For more options, visit https://groups.google.com/d/optout.
>


-- 
-- 
Christian Hammond
President/CEO of Beanbag 
Makers of Review Board 

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.