Univention Bugzilla – Bug 44741
python-cryptography/ symbol SSLv2_client_method, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference
Last modified: 2017-06-29 08:51:55 CEST
This is a dev machine with deb http://omar.knut.univention.de/build2/ ucs_4.2-0-errata4.2-0/all/ So not sure whether this is a "real" problem, maybe invalid? But my UMC is currently broken: root@master80:~# systemctl start univention-management-console-web-server.service Job for univention-management-console-web-server.service failed. See 'systemctl status univention-management-console-web-server.service' and 'journalctl -xn' for details. root@master80:~# systemctl status univention-management-console-web-server.service ● univention-management-console-web-server.service - LSB: Univention Management Console Web Server Loaded: loaded (/etc/init.d/univention-management-console-web-server) Drop-In: /lib/systemd/system/univention-management-console-web-server.service.d └─killmode.conf Active: failed (Result: exit-code) since Mo 2017-06-05 21:19:02 CEST; 4s ago Process: 12704 ExecStart=/etc/init.d/univention-management-console-web-server start (code=exited, status=1/FAILURE) Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: return self._load_library() Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: File "/usr/lib/python2.7/dist-packages/cffi/verifier.py", line 151, in _load_library Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: return self._vengine.load_library() Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: File "/usr/lib/python2.7/dist-packages/cffi/vengine_cpy.py", line 149, in load_library Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: raise ffiplatform.VerificationError(error) Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: cffi.ffiplatform.VerificationError: importing '/usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f... Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: failed! Jun 05 21:19:02 master80 systemd[1]: univention-management-console-web-server.service: control process exited, code=exited status=1 Jun 05 21:19:02 master80 systemd[1]: Failed to start LSB: Univention Management Console Web Server. Jun 05 21:19:02 master80 systemd[1]: Unit univention-management-console-web-server.service entered failed state. Hint: Some lines were ellipsized, use -l to show in full.
I have the same problem after upgrading python-cryptography today. The result is, that the UMC (and thus also the appcenter) cannot be used anymore! Actually any program importing OpenSSL.SSL will fail! ======================================================================== root@sch-m4:~# systemctl status -l univention-management-console-web-server.service ● univention-management-console-web-server.service - LSB: Univention Management Console Web Server Loaded: loaded (/etc/init.d/univention-management-console-web-server) Drop-In: /lib/systemd/system/univention-management-console-web-server.service.d └─killmode.conf Active: failed (Result: exit-code) since Di 2017-06-06 12:18:07 CEST; 3s ago Process: 30337 ExecStart=/etc/init.d/univention-management-console-web-server start (code=exited, status=1/FAILURE) Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: return self._load_library() Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: File "/usr/lib/python2.7/dist-packages/cffi/verifier.py", line 151, in _load_library Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: return self._vengine.load_library() Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: File "/usr/lib/python2.7/dist-packages/cffi/vengine_cpy.py", line 149, in load_library Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: raise ffiplatform.VerificationError(error) Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: cffi.ffiplatform.VerificationError: importing '/usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so': /usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so: symbol SSLv2_client_method, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: failed! Jun 06 12:18:07 sch-m4 systemd[1]: univention-management-console-web-server.service: control process exited, code=exited status=1 Jun 06 12:18:07 sch-m4 systemd[1]: Failed to start LSB: Univention Management Console Web Server. Jun 06 12:18:07 sch-m4 systemd[1]: Unit univention-management-console-web-server.service entered failed state. ======================================================================== root@sch-m4:~# dpkg -S /usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so python-cryptography: /usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so ======================================================================== root@sch-m4:~# apt-cache policy python-cryptography python-cryptography: Installiert: 0.6.1-1+deb8u1 Installationskandidat: 0.6.1-1+deb8u1 Versionstabelle: *** 0.6.1-1+deb8u1 0 500 http://192.168.0.10/build2/ ucs_4.2-0-errata4.2-0/amd64/ Packages 100 /var/lib/dpkg/status 0.6.1-1 0 500 http://univention-repository.knut.univention.de/4.2/maintained/ 4.2-0/amd64/ Packages 500 http://192.168.0.10/build2/ ucs_4.2-0/amd64/ Packages ======================================================================== root@sch-m4:~# univention-app info Traceback (most recent call last): File "/usr/bin/univention-app", line 45, in <module> from univention.appcenter.actions import all_actions, Abort File "/usr/lib/pymodules/python2.7/univention/appcenter/__init__.py", line 35, in <module> from univention.appcenter.actions import get_action, all_actions File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py", line 319, in <module> __import__('univention.appcenter.actions.%s' % pymodule_name) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py", line 319, in <module> __import__('univention.appcenter.actions.%s' % pymodule_name) File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_remove.py", line 39, in <module> from univention.appcenter.actions.docker_base import DockerActionMixin File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_base.py", line 43, in <module> from univention.appcenter.docker import Docker File "/usr/lib/pymodules/python2.7/univention/appcenter/docker.py", line 42, in <module> import requests File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 68, in <module> _attach_namespace(urllib3, 'requests.packages') File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 63, in _attach_namespace module = __import__(name) File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 55, in <module> import OpenSSL.SSL File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module> from OpenSSL import rand, crypto, SSL File "/usr/lib/python2.7/dist-packages/OpenSSL/rand.py", line 11, in <module> from OpenSSL._util import ( File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 4, in <module> binding = Binding() File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 89, in __init__ self._ensure_ffi_initialized() File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 113, in _ensure_ffi_initialized libraries=libraries, File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/utils.py", line 80, in build_ffi extra_link_args=extra_link_args, File "/usr/lib/python2.7/dist-packages/cffi/api.py", line 340, in verify lib = self.verifier.load_library() File "/usr/lib/python2.7/dist-packages/cffi/verifier.py", line 75, in load_library return self._load_library() File "/usr/lib/python2.7/dist-packages/cffi/verifier.py", line 151, in _load_library return self._vengine.load_library() File "/usr/lib/python2.7/dist-packages/cffi/vengine_cpy.py", line 149, in load_library raise ffiplatform.VerificationError(error) cffi.ffiplatform.VerificationError: importing '/usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so': /usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so: symbol SSLv2_client_method, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference
root@sch-m4:~# apt-cache rdepends python-cryptography python-cryptography Reverse Depends: python-openssl root@sch-m4:~# apt-cache rdepends python-openssl python-openssl Reverse Depends: [..] python-univention-management-console [..]
Irgendwie ist OPENSSL_NO_SSL2_METHOD nicht gesetzt. Händisch gepatched: # diff /usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/openssl/ssl.py.ori /usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/openssl/ssl.py 387d386 < #ifdef OPENSSL_NO_SSL2_METHOD 392,394d390 < #else < static const long Cryptography_HAS_SSL2 = 1; < #endif Dann umc neu starten, modul wird neu kompiliert, und geht wieder. → python-cryptography oder openssl muss gepatcht werden, dass OPENSSL_NO_SSL2_METHOD gesetzt ist.
Other workaround: apt-get install python-cryptography=0.6.1-1 apt-mark hold python-cryptography # restart services...
As a workaround, Philipp removed the package from our errata scope yesterday, so this should not impair tests any longer
Package was copied by Bug #44451 - UCS-4.2 is running a newer version of OpenSSL (1.0.2d) than Debian-Jessie (1.0.1t), which removed several symbols. As such such packages depending on Debians OpenSSL don't work when copied to errrata4.2-0 $ git describe --contains --match OpenSSL\* 66299660976540fa59450a5edc700e61ce4685d0 OpenSSL_1_0_1t~28 UCS-4.2: openssl-1.0.2d/debian/rules:29 CONFARGS = ... no-ssl2 ... /usr/include/x86_64-linux-gnu/openssl/opensslconf.h:44:#ifndef OPENSSL_NO_SSL2 /usr/include/x86_64-linux-gnu/openssl/opensslconf.h:45:# define OPENSSL_NO_SSL2 /usr/include/openssl/ssl.h:361:# if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2) /usr/include/openssl/ssl.h:362:# define OPENSSL_NO_SSL2 /usr/include/openssl/ssl.h:2348:# ifndef OPENSSL_NO_SSL2 $ objdump -T /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep SSLv2_method - $ cpp /usr/include/openssl/ssl.h | grep SSLv2_ - Debian Jessie openssl-1.0.1t/debian/rules:29 CONFARGS = ... no-ssl2 ... /usr/include/x86_64-linux-gnu/openssl/opensslconf.h:38:#ifndef OPENSSL_NO_SSL2 /usr/include/x86_64-linux-gnu/openssl/opensslconf.h:39:# define OPENSSL_NO_SSL2 /usr/include/openssl/ssl.h:357:# if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2) /usr/include/openssl/ssl.h:358:# define OPENSSL_NO_SSL2 /usr/include/openssl/ssl.h:2020:# ifndef OPENSSL_NO_SSL2_METHOD $ objdump -T /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 | grep SSLv2_method 0000000000013eb0 g DF .text 0000000000000003 OPENSSL_1.0.0 SSLv2_method Summary: On both UCS and Debian NO_SSL gets defined. Only on UCS that is used to skip the SSL2 methods: SSLv3-*method() are *NOT* declared. On Debian they are built as NO_SSL2_METHOD is *never* defined anywhere: SSLv3*methos() *are* available.
Debian contains debian/patches/ssl2-detection.patch <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849802> -#ifdef OPENSSL_NO_SSL2 +#ifdef OPENSSL_NO_SSL2_METHOD As NO_SSL2_METHOD is never defined, the code is *not* included in Debian - which is correct, as the Debian OpenSSL still *has* the symbols (the NULL return function): $ objdump -d /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 | sed '/<SSLv2_method>:/,/^$/!d' 0000000000013eb0 <SSLv2_method>: 13eb0: 31 c0 xor %eax,%eax 13eb2: c3 retq 13eb3: 66 66 66 66 2e 0f 1f data16 data16 data16 nopw %cs:0x0(%rax,%rax,1) The OPENSSL_NO_SSL2_METHOD change was introduced with OpenSSL_1_0_1t~28 << Debian-1.0.1t → OK OpenSSL_1_0_2h~33 >> UCS-1.0.2d → FAIL We imported 1.0.2h from Debian Jessie-Backports and re-built it for UCS-4.2 (Bug #44143) It is now out-of-date, as 1.0.2k is available in Debian Jessie-Backports: <https://packages.debian.org/search?keywords=openssl&searchon=sourcenames&suite=all§ion=all> It fixed several new bugs (Bug #42925) r17532 | Bug #44741 python-cryptography: Adapt to OpenSSL-1.0.2k repo_admin.py -U -p python-cryptography -d jessie -r 4.2 -s errata4.2-0 build-package-ng -r 4.2 -s errata4.2-0 -p python-cryptography Package: python-cryptography Version: 0.6.1-1+deb8u1A~4.2.0.201706081447 Version: 0.6.1-1+deb8u1A~4.2.0.201706081606 Branch: ucs_4.2-0 Scope: errata4.2-0 QA: python -c 'import OpenSSL.SSL'
r80091 | Bug #44741 python-cryptography YAML
OK: patch OK: built for i386 and amd64 OK: advisory OK: manual test OK: automated tests from 84_crypto (01_openssl_protocol_versions, 02_openssl-ruby, 03_openssl-python) r80119: enable ucs-test-crypto in jenkins runs (ucs-test 7.0.21-44)
OK: ucs-test-crypto (84_crypto) tests are now successfully executed by Jenkins.
<http://errata.software-univention.de/ucs/4.2/30.html>