On Sep 26, 2011, at 9:07 AM, Michele Comitini wrote:
> Ross, Jonathan,
>
> I was the guilty one to put the log line, since I had to debug the new
> ssl code which can optionally check for a client submitted x509 cert.
> I left it there because IMHO the try/except/pass pattern can be
> dangerous and hide serious low level errors.
> The specific matter seems to point to an error happening only on
> certain Python and/or OpenSSL version combinations. *It seems
> harmless*.
> What I can suggest is trying to upgrade to latest OpenSSL major
> version and Python minor and see the problem persists. It does not
> depend on Web2Py for as much I can see.
>
> In any case even if it is clear that the error was there before but
> hiddend, it must be addressed because it is related to security and
> integrity of the trasmitted data.
I expect you're right here; at the very least the code should have been more
specific about the errors it was ignoring. And the "detected by Worker" comment
is at least suspect.
>
> mic
>
>
> 2011/9/26 Jonathan Lundell <jlund...@pobox.com>:
>> On Sep 26, 2011, at 8:27 AM, Ross Peoples wrote:
>>
>>> It was the admin application, which should be using HTTPS when you access
>>> it over HTTPS right? I just tried with a test app and the same thing
>>> happens.
>>>
>>> I commented out like 518 in rocket.py and that silences the errors, but is
>>> that a good thing?
>>
>> I don't know. I looked at the recent changes in rocket.py, and the addition
>> of that log line is the only change that I can see that looks relevant if
>> you're not using a client certificate. Notice the (existing) comment:
>>
>> except SSLError:
>> # Generally this happens when an HTTP request is received on a
>> # secure socket. We don't do anything because it will be detected
>> # by Worker and dealt with appropriately.
>> self.err_log.error('SSL Error: %s' % traceback.format_exc())
>> <<<<<-- this was added
>> pass
>>
>> It may well be that the lack of a log here was hiding *other* errors that we
>> ought to know about.
>>
>> There is actually one other block of new code:
>>
>> if conn.ssl:
>> try:
>> peercert = conn.socket.getpeercert(binary_form=True)
>> environ['SSL_CLIENT_RAW_CERT'] = \
>> peercert and ssl.DER_cert_to_PEM_cert(peercert)
>> except Exception,e:
>> print e
>>
>> The cert is being captured for use by the X509 code. Looks harmless, and
>> you're not getting that exception.
>>
>>
>>>
>>> There might be another problem here. I just checked the traffic going to my
>>> test app and all requested files (including the static ones) are requested
>>> over HTTPS, however, Google Chrome has disabled my JavaScript because "This
>>> page has insecure content". All the static files are loaded locally (I'm
>>> not using a CDN or anything). So are the files getting returned to the
>>> browser over HTTP instead of HTTPS or something and that's why the rocket
>>> error was happening?
>>
>>
>>
