Christian Heimes added the comment:
It looks like your code is treating a SSLSocket like an ordinary Kernel socket.
SSLSocket are implemented in user space and behave differently.
https://docs.python.org/3/library/ssl.html#ssl-nonblocking explains some of the
aspects of non-blocking I/O for
Christian Heimes added the comment:
Could you please explain why you consider this a bug?
TLS 1.3 works differently than TLS 1.2. You must always assume that an
application level read can result in a protocol level write operation and the
other way around. This could happen with TLS 1.2
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +23771
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/25016
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
The extra macros are provided by optional packages. On Fedora and Debian/Ubuntu
the package is called autoconf-archive.
--
nosy: +christian.heimes
___
Python tracker
<https://bugs.python.org/issue43
Change by Christian Heimes :
--
pull_requests: +23760
pull_request: https://github.com/python/cpython/pull/25002
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
The __getattr__ hack is not needed. You can reset the flags in a different,
more straight forward way:
class ReproducibleZipInfo(ZipInfo):
__slots__ = ()
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self
Christian Heimes added the comment:
GH-24989 adds -Wl,--exclude-libs just for libssl.a and libcrypto.a IFF support
for -Wl,--exclude-libs,ALL is detected by configure. This puts the symbols from
the OpenSSL archive files into the LOCAL segment of ELF binaries. The PR does
not set -Wl
Change by Christian Heimes :
--
pull_requests: +23748
pull_request: https://github.com/python/cpython/pull/24989
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
zinfo = zipfile.ZipInfo()
zinfo.date_time = (1980, 0, 0, 0, 0, 0)
zinfo.create_system = 0
external_attr == 0 may cause issues with permissions. I do something like this
in my reproducible tarfile code:
if zinfo.isdir():
# 0755 + MS-DOS directory flag
Christian Heimes added the comment:
Hi,
thanks for looking into reproducible builds. I have a few suggestions:
- since it's a new feature, it cannot go into older releases.
- zeroed is not a self-explanatory term. I suggest to find a term that does
describe the result, not the int
Christian Heimes added the comment:
pymalloc is a compile-time option. The configure flag sets or unsets
WITH_PYMALLOC. The define is then used by
https://github.com/python/cpython/blob/master/Objects/obmalloc.c to change the
internal allocator.
The flag may also affect the ABI of Python
Christian Heimes added the comment:
The callback from context.alpn_callback would fire when OpenSSL handles the
ALPN extension. Since the callback is triggered in the ClientHello phase of the
handshake, you'll be able to replace the socket's context with another context.
The Ope
Christian Heimes added the comment:
SSLContext.set_alpn_protocols() is a high level interface on top of
SSL_CTX_set_alpn_select_cb(). Python doesn't directly expose the ALPN selector
callback. The ssl module only provides a way to set a hard-coded callback that
wraps SSL_select_next_
Christian Heimes added the comment:
I'm also -1 and would prefer something like Grégory's proposal instead.
--
nosy: +christian.heimes
___
Python tracker
<https://bugs.python.o
Christian Heimes added the comment:
The fix will be available in next 3.9 and 3.8 release.
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
versions: +Python 3.10
___
Python tracker
<https://bug
Christian Heimes added the comment:
I don't see any way to fix the issue with our current API. OpenSSL 1.1.1
provides a new API SSL_client_hello_get0_ext() to access raw extension during
early stage of ClientHello phase.
https://www.openssl.org/docs/man1.1.1
Christian Heimes added the comment:
I analysed the issue in comment https://bugs.python.org/issue43577#msg389222
--
nosy: +alex, dstufft, janssen, njs
versions: +Python 3.10
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
No, there is no check for that. This kind of deadlock should never occur. The
problem was an implementation bug in low-level C code that had bad interaction
with the global interpreter lock. Python releases the GIL around OpenSSL calls.
Callbacks have to
Christian Heimes added the comment:
New changeset 77cde5042a2f1eae489c11a67540afaf43cd5cdf by Christian Heimes in
branch 'master':
bpo-43577: Fix deadlock with SSLContext._msg_callback and sni_callback
(GH-24957)
https://github.com/python/cpyt
Christian Heimes added the comment:
Thanks for the excellent bug report and reproducer! I have identified the issue
and submitted a fix for review. OpenSSL copies the internal msg_callback to SSL
struct, but SSL_set_SSL_CTX() does not update the msg_callback with value from
new context
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +23715
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/24957
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
I'm leaving the ticket open as a reminder for me to update whatsnew.
--
components: +Documentation
___
Python tracker
<https://bugs.python.org/is
Christian Heimes added the comment:
New changeset 32eba61ea431c76f15a910c0a4eded7f5f8b9b34 by Christian Heimes in
branch 'master':
bpo-43466: Add --with-openssl-rpath configure option (GH-24820)
https://github.com/python/cpython/commit/32eba61ea431c76f15a910c0a4eded
Change by Christian Heimes :
--
pull_requests: +23690
pull_request: https://github.com/python/cpython/pull/24928
___
Python tracker
<https://bugs.python.org/issue41
Change by Christian Heimes :
--
pull_requests: +23684
pull_request: https://github.com/python/cpython/pull/24920
___
Python tracker
<https://bugs.python.org/issue40
Christian Heimes added the comment:
memo to me: switch to new C implementation of HMAC.
--
priority: normal -> critical
versions: +Python 3.10
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
Dimitri John Ledkov from Canonical has opened a feature request for a context
validation feature on the OpenSSL issue tracker,
https://github.com/openssl/openssl/issues/14607
--
___
Python tracker
<ht
Change by Christian Heimes :
--
pull_requests: +23678
stage: commit review -> patch review
pull_request: https://github.com/python/cpython/pull/24915
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
I have discussed the problem with downstream engineers on the two issues
- https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878
- https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625
The gist of the issue is: Canonical has taken a
Christian Heimes added the comment:
CI is passing again.
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
Thanks for the PR!
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
It's not a public API but it's a stable API. It hasn't changed since Python 2.6
and commit 366d6262f81 from 2007. It's unlikely to change in the near future.
--
___
Python tracker
<
Christian Heimes added the comment:
The Python standard library has no builtin support for socks proxy. I suggest
that you report issues with socks library to the author of the package.
By the way the smptlib makes it really easy to override the socket object with
a custom implementation
Christian Heimes added the comment:
This sounds like a bug in CMake or Make. Are you using any CMake plugins or
autoconf/automake macros? It's very well possible that the author of these
extension made a wrong assumption or the extension was written before venvs
were intro
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +23663
stage: -> patch review
pull_request: https://github.com/python/cpython/pull/24899
___
Python tracker
<https://bugs.python.org/issu
Christian Heimes added the comment:
PS: I don't see any remark or warning about the behavior on the man pages
https://www.openssl.org/docs/man1.1.1/man3/X509_VERIFY_PARAM_set_flags.html and
https://www.openssl.org/docs/man1.1.1/man3/X509_check_host
Christian Heimes added the comment:
Oh heck, this is a genuine bug. I'm not yet sure if it's an undocumented API
quirk in OpenSSL, a design bug in OpenSSL, or a bug in my code.
Python sets the host flags on the X509_VERIFY_PARAM of the *SSL_CTX. All flags
get copied to *SSL struct
Christian Heimes added the comment:
Could you please post the error message and either post a minimal example or
give us a link to your code?
--
nosy: +christian.heimes
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
It's a compromise.
The default settings for --with-openssl-rpath=no (--without-openssl-rpath) is
backwards compatible with previous Python versions. The default behavor stays
the same.
I don't want to set an rpath *unless* the user specifies
Christian Heimes added the comment:
Pablo,
in cc12888f9b4b69247f342fe1304984c3eb3d9647 you have regenerated configure with
autoconf 2.71. The version is brand new and was released just 6 weeks ago. All
my Linux machines have autoconf 2.69 from 2012 (!). Apparently 2.70 had some
issues
Christian Heimes added the comment:
I agree with Vinay. venvs don't contain copies of libpython or header files by
design. setuptools will pcik them up from the main installation.
If you have any issues with compiling C extensions, please report them with
setuptools at https://githu
Christian Heimes added the comment:
It's a Python 2-only problem. Python 2 no longer receives security fixes.
Please update to a supported version of Python or report the issue with your
vendor.
--
nosy: +christian.heimes
resolution: -> wont fix
stage: -> resolved
s
Christian Heimes added the comment:
Python's dynamic nature makes it hard to implement and reason about audit hooks
written in Python. sys.addaudithook() is really only design for testing,
debugging, and playing around with auditing. You absolutely have to write a
custom interpreter i
New submission from Christian Heimes :
The subinterpreters module does not emit any audit events yet. It's possible to
create a subinterpreter and run arbitrary code through run_string().
We should also improve documentation of sys.addaudithook() and explain what
'current i
Christian Heimes added the comment:
It's very much the same for OpenSSL 3.0.0: libssl.so and libcrypto.so.
$ ldd build/lib.linux-x86_64-3.10/_ssl.cpython-310-x86_64-linux-gnu.so
linux-vdso.so.1 (0x7a3cc000)
libssl.so.3 =>
/home/heimes/dev/python/multissl
Christian Heimes added the comment:
> Not sure I follow. What's the problem here? The advantage of static linking
> here will be to not have a dependency on the shared object, which can be
> quite beneficial.
The problem is that some features are not baked into the .a f
Christian Heimes added the comment:
I would rather not support static linking.
OpenSSL uses dynamic linking by default. Static linking is problematic for
dynamic engine support. This is going to become an even bigger issue with OSSL
providers in OpenSSL 3.0.0. I don't know yet how
Christian Heimes added the comment:
$ tar -xzf openssl-1.1.1j.tar.gz
$ pushd openssl-1.1.1j
$ ./config \
--prefix=/home/heimes/dev/python/custom-openssl \
--openssldir=\
$(find /etc/ -name openssl.cnf -quit -printf "%h" 2>/dev/null)
$ make
$ make install_sw
$
Change by Christian Heimes :
--
keywords: +patch
pull_requests: +23586
pull_request: https://github.com/python/cpython/pull/24820
___
Python tracker
<https://bugs.python.org/issue43
New submission from Christian Heimes :
Python's configure script has the option --with-openssl. It sets a path to a
custom OpenSSL installation. Internally it provides OPENSSL_INCLUDES,
OPENSSL_LIBS, and OPENSSL_LDFLAGS. The setup.py script turns the variables into
include_dirs, library
Christian Heimes added the comment:
Don't feel bad about it. Nintendo made a very similar mistake. The trucha bug
made it trivial to bypass DRM of Wii games.
--
___
Python tracker
<https://bugs.python.org/is
Christian Heimes added the comment:
Thanks, Pablo and Victor!
--
resolution: -> fixed
stage: patch review -> resolved
status: open -> closed
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
Could you please give us an example for an incorrect output and corresponding
correct output as bytes representation?
--
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
Florian's answer is correct. Thanks!
--
nosy: +christian.heimes
resolution: -> not a bug
stage: -> resolved
status: open -> closed
type: -> behavior
___
Python tracker
<https://bugs.p
Christian Heimes added the comment:
A sleep(1) call affects exactly one aspect of the program: the state of the
PRNG rand(). You re-initialize the process globale RNG in every function call
with srand((unsigned) time(&t)). time() has a granularity of one se
Christian Heimes added the comment:
sendfile() only works for plain HTTP. For technical reasons it does not work
for HTTPS (*). These days majority of services use HTTPS. Therefore the
usefulness of sendfile() patch is minimal.
(*) It is possible to use sendfile() for TLS connections, but
Christian Heimes added the comment:
Py_BuildValue("y#", output, count) is equivalent to
PyBytes_FromStringAndSize(output, count). The function returns a copy of the
input string as a new bytes object. It's very unlikely that the code is broken.
It's been around for
Christian Heimes added the comment:
> Note: if someone wants to address the ability to remove an audit hook, the
> internal list can be modified to not be a Python object.
I wouldn't bother. There are other ways to modify data structures, e.g. poke
into pro
Christian Heimes added the comment:
I agree with both of you.
The documention should explicitly state that the audit hooks are for auditing.
They are not designed to sandbox Python. When used correctly, they can help to
capture and analyze an event post-mortem.
The documentation of
Christian Heimes added the comment:
Does mcrypt_generic() output base64 or ASCII-only data? Since you are
converting the output to bytes, I assume the output may contain any byte. In
that case strcpy() is not safe. You have to use memcpy().
Fun fact: Nintendo had a similar bug many years
Christian Heimes added the comment:
What do you mean by "incomplete"? Does it return less data or invalid data?
Could you please paste your implementation of encryptBlowfishCfb(), too?
--
nosy: +christian.heimes
___
Python track
Christian Heimes added the comment:
This behavior is documented,
https://docs.python.org/3/library/stdtypes.html#str.title
> The algorithm uses a simple language-independent definition of a word as
> groups of consecutive letters. The definition works in many contexts but it
> m
Christian Heimes added the comment:
Yeah, that's the annoying part. Users have to rebase all their PRs in order to
make CI pass. It's going to be painful. :(
--
___
Python tracker
<https://bugs.python.o
Christian Heimes added the comment:
Downstream has asked me to file a separate bug for internal error during
handshake. The problem is tracked at
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 .
--
___
Python tracker
<ht
Christian Heimes added the comment:
Downstream has asked me to file a separate bug for internal error during
handshake. The problem is tracked at
https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 .
--
___
Python tracker
<ht
Christian Heimes added the comment:
I have backported the workaround to 3.7, 3.8, and 3.9. There was some issue
with the backport bot and I didn't have time to investigate. PRs are:
https://github.com/python/cpython/pull/24716
https://github.com/python/cpython/pull/24717
https://githu
Christian Heimes added the comment:
> It would be advisable for Python3 to start enforcing security level 2, and
> prohibit DTLS v1.1 and lower by default too. By configuring openssl library
> on the host with setting security level, and/or setting min versions (if
> openssl
Christian Heimes added the comment:
Dimitri, thanks for your feedback.
I'm very well aware of the crypto policy settings and security level settings.
The problem is not the fact that Ubuntu sets a higher security level and
disables insecure TLS versions. The problem is the way how U
Christian Heimes added the comment:
Thanks for the quick workaround!
The problem could be caused by a downstream patch in Ubuntu's OpenSSL version.
Vanilla OpenSSL doesn't fail like that.
--
___
Python tracker
<https://bugs.python.o
Christian Heimes added the comment:
Back in the day I was of several core devs that took care of syncing code
between Python 2 and 3 branches with a tool called "svnmerge". Commit
380532117c2547bb0dedf6f85efa66d18a9abb88 is a svnmerge commit. The tool synced
changesets in batc
Christian Heimes added the comment:
Do you need all three items or would "get_preferred_scheme(name: str) -> str"
be sufficient?
--
___
Python tracker
<https://bugs.pytho
Christian Heimes added the comment:
Alexander, this bug report is closed. Could you please open a new request and
explain your proposal?
--
nosy: +christian.heimes
___
Python tracker
<https://bugs.python.org/issue42
Christian Heimes added the comment:
My offer still stands: If you can fulfill the requirements of PEP 11 for s390,
then I'm fine with keeping the code for s390 around. Victor has a different
opinion, so you have to contact the Steering Council and get their approval,
too.
Our ticket s
Christian Heimes added the comment:
For the last time: This ticket is solely about s390 platform. Please stop
derailing this ticket with comments about unrelated platforms like m68k.
I'm considering your diversion as "sustained disruption of online community
discussio
Christian Heimes added the comment:
Please hold off. Once PEP 644 gets accepted, I'm going to remove our copy of
Keccak and _sha3 module entirely.
--
___
Python tracker
<https://bugs.python.org/is
Change by Christian Heimes :
--
components: +Interpreter Core -SSL
nosy: -christian.heimes
title: SSl Securité version 3.9.2 -> opcode cache for LOAD_GLOBAL emits false
alarm in memory leak hunting
type: security -> behavior
___
Python t
Christian Heimes added the comment:
Could you please repost your question in English? I don't speak French and
Google translate output is incomprehensible.
--
___
Python tracker
<https://bugs.python.org/is
Christian Heimes added the comment:
David, could you please provide the output of "gcc -dM -E - < /dev/null" on
s390x in 31 bit mode? I'm curious and would like to see the platform constants.
--
___
Python tracker
<ht
Christian Heimes added the comment:
David, this bug is about s390, not s390x. The s390x platform is supported and
tested.
--
___
Python tracker
<https://bugs.python.org/issue43
Christian Heimes added the comment:
> That's not really the question. The question is whether an upstream project
> should prevent downstreams from using unsupported target configurations and I
> think the answer to that question is no.
We are not (actively) prevent unsuppor
Christian Heimes added the comment:
> You don't need to support a platform. Just call it unsupported and ignore
> issues if people report them unless they provide a patch themselves.
This thread is an excellent example why ignoring platforms comes at a cost. It
will only get wor
Christian Heimes added the comment:
The guidelines for platform support are explained in PEP 11
(https://www.python.org/dev/peps/pep-0011/#supporting-platforms). We don't
support platforms unless we have maintainers and CI (builtbots) in place for
the pla
Christian Heimes added the comment:
> Does AIX support the s390 architecture?
The platform triplet is s390-linux-gnu, not AIX.
> Because one user was surprised by a few lines in configure.ac, the conclusion
> is to remove support for that architecture?
You are misinterpreting my
Christian Heimes added the comment:
> That's an argument I have personally never heard before and I have been
> dealing with a lot of architecture support in many packages.
I opened this ticket after a user told me that they grepped the source code of
Python, found the string
Christian Heimes added the comment:
It's about setting expectations. For some users, the presence of a platform
triplet implies support for a platform.
--
___
Python tracker
<https://bugs.python.org/is
Christian Heimes added the comment:
I stand corrected. The last element in the platform triplet does seem to
indicate libc.
Is there any formal definition of the platform triplet or is it defined by
GCC's reference implementation? A quick search didn't reveal any decisive
res
New submission from Christian Heimes :
configure.ac contains triplet definitions for s390 and s390x mainframes. While
s390x (Linux on IBM Z) is still widely supported, s390 is not. s390 was
released in 1990 and discontinued in 1998,
https://en.wikipedia.org/wiki/IBM_System/390
Ariadne
Christian Heimes added the comment:
You are using a list comprehension that consumes a LOT of memory very fast. The
line requires more physical RAM than available on a typical user system. This
causes your computer to become unresponsive to input.
You can rewrite tie list comprehension as
Christian Heimes added the comment:
TLS 1.2 has one-way close notify. For example typical HTTP clients like curl
send a close_notify and then shut down the TCP connection. HTTP servers may not
reply with close_notify or may not wait for the client to confirm the
server-side close notify
Christian Heimes added the comment:
3.7 is in security fix-only mode.
APPLICATION_DATA_AFTER_CLOSE_NOTIFY is a protocol violation in any TLS version.
It's not related to TLS 1.3. The error occurs when one side wants to close the
connection, but the other sides keeps sending user data.
Change by Christian Heimes :
--
components: -Distutils
resolution: out of date ->
stage: resolved ->
status: closed -> open
versions: +Python 3.10, Python 3.8, Python 3.9 -Python 2.7
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
Python 3.6 is in security fix-only mode. We no longer provide binaries for it.
We also dropped MSI installers a while ago. I let Steve explains the details.
--
assignee: -> steve.dower
nosy: +christian.heimes, steve.do
Christian Heimes added the comment:
Do you have glibc and musl installed side by side?
--
___
Python tracker
<https://bugs.python.org/issue43112>
___
___
Pytho
Christian Heimes added the comment:
SOABI basically contains the CPU architecture and Kernel ABI. The libc ABI is
yet another dimension that is not encoded in the shared library ABI.
The libc ABI is more complex than just glibc or musl. You need to include the
ABI version of all core
Christian Heimes added the comment:
The suffix "-gnu" does not stand for "glibc".
The triplet defines the calling convention. For example x86_64-linux-gnu means
x86_64 / AMD64 CPU architecture, Linux, with standard GNU / GCC calling
convention. Other calling conventio
Christian Heimes added the comment:
It's not a Python problem. The Python configuration API only configures
Python's input/output API to UTF-8 mode. It does not affect the C++
input/output cout API.
--
resolution: -> not a bug
stage: -> resolved
status
Christian Heimes added the comment:
"utf8_mode = -1" falls back to command line, env vars, locales, and eventually
disables UTF-8 mode. Try "cfg.utf8_mode = 1" as documented at
https://docs.python.org/3/c-api/init_config.html?highlight=pypreconfig_initpythonconfig#c.Py_P
Christian Heimes added the comment:
What's the result of the Py_PreInitialize(&cfg) call?
--
nosy: +christian.heimes
___
Python tracker
<https://bugs.python.or
Christian Heimes added the comment:
This issue came up in another discussion. I have given it some thought.
mmap.mmap() dups the FD because its close() and __exit__() methods close(2) the
fd. The size() and resize() methods use the fd to determine the size of the
underlying file or to
Christian Heimes added the comment:
PBKDF2-HMAC is a serialized algorithm. It cannot be parallized. That means the
runtime depends on single core-performance. The single core-performance of
desktop and server CPUs hasn't improved much in the last decade. Modern CPUs
have more cores, l
1201 - 1300 of 6594 matches
Mail list logo
