First Last Prev Next    This bug is not in your last search results.
Bug 44741 - python-cryptography/ symbol SSLv2_client_method, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference
python-cryptography/ symbol SSLv2_client_method, version OPENSSL_1.0.0 not de...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SSL
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.2-0-errata
Assigned To: Philipp Hahn
Daniel Tröder
:
Depends on: 44751
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-05 21:24 CEST by Dirk Wiesenthal
Modified: 2017-06-29 08:51 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 1.000
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dirk Wiesenthal univentionstaff 2017-06-05 21:24:11 CEST 
This is a dev machine with
  deb http://omar.knut.univention.de/build2/ ucs_4.2-0-errata4.2-0/all/

So not sure whether this is a "real" problem, maybe invalid? But my UMC is currently broken:

root@master80:~# systemctl start univention-management-console-web-server.service
Job for univention-management-console-web-server.service failed. See 'systemctl status univention-management-console-web-server.service' and 'journalctl -xn' for details.
root@master80:~# systemctl status univention-management-console-web-server.service
● univention-management-console-web-server.service - LSB: Univention Management Console Web Server
   Loaded: loaded (/etc/init.d/univention-management-console-web-server)
  Drop-In: /lib/systemd/system/univention-management-console-web-server.service.d
           └─killmode.conf
   Active: failed (Result: exit-code) since Mo 2017-06-05 21:19:02 CEST; 4s ago
  Process: 12704 ExecStart=/etc/init.d/univention-management-console-web-server start (code=exited, status=1/FAILURE)

Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: return self._load_library()
Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: File "/usr/lib/python2.7/dist-packages/cffi/verifier.py", line 151, in _load_library
Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: return self._vengine.load_library()
Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: File "/usr/lib/python2.7/dist-packages/cffi/vengine_cpy.py", line 149, in load_library
Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: raise ffiplatform.VerificationError(error)
Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: cffi.ffiplatform.VerificationError: importing '/usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f...
Jun 05 21:19:02 master80 univention-management-console-web-server[12704]: failed!
Jun 05 21:19:02 master80 systemd[1]: univention-management-console-web-server.service: control process exited, code=exited status=1
Jun 05 21:19:02 master80 systemd[1]: Failed to start LSB: Univention Management Console Web Server.
Jun 05 21:19:02 master80 systemd[1]: Unit univention-management-console-web-server.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.
Comment 1 Daniel Tröder univentionstaff 2017-06-06 12:30:42 CEST 
I have the same problem after upgrading python-cryptography today.

The result is, that the UMC (and thus also the appcenter) cannot be used anymore!
Actually any program importing OpenSSL.SSL will fail!

========================================================================

root@sch-m4:~# systemctl status -l univention-management-console-web-server.service
● univention-management-console-web-server.service - LSB: Univention Management Console Web Server
   Loaded: loaded (/etc/init.d/univention-management-console-web-server)
  Drop-In: /lib/systemd/system/univention-management-console-web-server.service.d
           └─killmode.conf
   Active: failed (Result: exit-code) since Di 2017-06-06 12:18:07 CEST; 3s ago
  Process: 30337 ExecStart=/etc/init.d/univention-management-console-web-server start (code=exited, status=1/FAILURE)

Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: return self._load_library()
Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: File "/usr/lib/python2.7/dist-packages/cffi/verifier.py", line 151, in _load_library
Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: return self._vengine.load_library()
Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: File "/usr/lib/python2.7/dist-packages/cffi/vengine_cpy.py", line 149, in load_library
Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: raise ffiplatform.VerificationError(error)
Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: cffi.ffiplatform.VerificationError: importing '/usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so': /usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so: symbol SSLv2_client_method, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference
Jun 06 12:18:07 sch-m4 univention-management-console-web-server[30337]: failed!
Jun 06 12:18:07 sch-m4 systemd[1]: univention-management-console-web-server.service: control process exited, code=exited status=1
Jun 06 12:18:07 sch-m4 systemd[1]: Failed to start LSB: Univention Management Console Web Server.
Jun 06 12:18:07 sch-m4 systemd[1]: Unit univention-management-console-web-server.service entered failed state.

========================================================================

root@sch-m4:~# dpkg -S /usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so
python-cryptography: /usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so

========================================================================

root@sch-m4:~# apt-cache policy python-cryptography
python-cryptography:
  Installiert:           0.6.1-1+deb8u1
  Installationskandidat: 0.6.1-1+deb8u1
  Versionstabelle:
 *** 0.6.1-1+deb8u1 0
        500 http://192.168.0.10/build2/ ucs_4.2-0-errata4.2-0/amd64/ Packages
        100 /var/lib/dpkg/status
     0.6.1-1 0
        500 http://univention-repository.knut.univention.de/4.2/maintained/ 4.2-0/amd64/ Packages
        500 http://192.168.0.10/build2/ ucs_4.2-0/amd64/ Packages

========================================================================

root@sch-m4:~# univention-app info
Traceback (most recent call last):
  File "/usr/bin/univention-app", line 45, in <module>
    from univention.appcenter.actions import all_actions, Abort
  File "/usr/lib/pymodules/python2.7/univention/appcenter/__init__.py", line 35, in <module>
    from univention.appcenter.actions import get_action, all_actions
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py", line 319, in <module>
    __import__('univention.appcenter.actions.%s' % pymodule_name)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/__init__.py", line 319, in <module>
    __import__('univention.appcenter.actions.%s' % pymodule_name)
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_remove.py", line 39, in <module>
    from univention.appcenter.actions.docker_base import DockerActionMixin
  File "/usr/lib/pymodules/python2.7/univention/appcenter/actions/docker_base.py", line 43, in <module>
    from univention.appcenter.docker import Docker
  File "/usr/lib/pymodules/python2.7/univention/appcenter/docker.py", line 42, in <module>
    import requests
  File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 68, in <module>
    _attach_namespace(urllib3, 'requests.packages')
  File "/usr/lib/python2.7/dist-packages/requests/__init__.py", line 63, in _attach_namespace
    module = __import__(name)
  File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py", line 55, in <module>
    import OpenSSL.SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8, in <module>
    from OpenSSL import rand, crypto, SSL
  File "/usr/lib/python2.7/dist-packages/OpenSSL/rand.py", line 11, in <module>
    from OpenSSL._util import (
  File "/usr/lib/python2.7/dist-packages/OpenSSL/_util.py", line 4, in <module>
    binding = Binding()
  File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 89, in __init__
    self._ensure_ffi_initialized()
  File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/openssl/binding.py", line 113, in _ensure_ffi_initialized
    libraries=libraries,
  File "/usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/utils.py", line 80, in build_ffi
    extra_link_args=extra_link_args,
  File "/usr/lib/python2.7/dist-packages/cffi/api.py", line 340, in verify
    lib = self.verifier.load_library()
  File "/usr/lib/python2.7/dist-packages/cffi/verifier.py", line 75, in load_library
    return self._load_library()
  File "/usr/lib/python2.7/dist-packages/cffi/verifier.py", line 151, in _load_library
    return self._vengine.load_library()
  File "/usr/lib/python2.7/dist-packages/cffi/vengine_cpy.py", line 149, in load_library
    raise ffiplatform.VerificationError(error)
cffi.ffiplatform.VerificationError: importing '/usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so': /usr/lib/python2.7/dist-packages/cryptography/_Cryptography_cffi_813c10e0x7adb75f8.x86_64-linux-gnu.so: symbol SSLv2_client_method, version OPENSSL_1.0.0 not defined in file libssl.so.1.0.0 with link time reference
Comment 2 Daniel Tröder univentionstaff 2017-06-06 12:40:04 CEST 
root@sch-m4:~# apt-cache rdepends python-cryptography
python-cryptography
Reverse Depends:
  python-openssl


root@sch-m4:~# apt-cache rdepends python-openssl
python-openssl
Reverse Depends:
[..]
python-univention-management-console
[..]
Comment 3 Daniel Tröder univentionstaff 2017-06-06 13:09:43 CEST 
Irgendwie ist OPENSSL_NO_SSL2_METHOD nicht gesetzt. Händisch gepatched:

# diff /usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/openssl/ssl.py.ori /usr/lib/python2.7/dist-packages/cryptography/hazmat/bindings/openssl/ssl.py
387d386
< #ifdef OPENSSL_NO_SSL2_METHOD
392,394d390
< #else
< static const long Cryptography_HAS_SSL2 = 1;
< #endif

Dann umc neu starten, modul wird neu kompiliert, und geht wieder.

→ python-cryptography oder openssl muss gepatcht werden, dass OPENSSL_NO_SSL2_METHOD gesetzt ist.
Comment 4 Erik Damrose univentionstaff 2017-06-06 13:24:48 CEST 
Other workaround:

apt-get install python-cryptography=0.6.1-1
apt-mark hold python-cryptography
# restart services...
Comment 5 Erik Damrose univentionstaff 2017-06-07 10:31:53 CEST 
As a workaround, Philipp removed the package from our errata scope yesterday, so this should not impair tests any longer
Comment 6 Philipp Hahn univentionstaff 2017-06-07 22:15:36 CEST 
Package was copied by Bug #44451 - UCS-4.2 is running a newer version of OpenSSL (1.0.2d) than Debian-Jessie (1.0.1t), which removed several symbols. As such such packages depending on Debians OpenSSL don't work when copied to errrata4.2-0

$ git describe --contains --match OpenSSL\* 66299660976540fa59450a5edc700e61ce4685d0
OpenSSL_1_0_1t~28

UCS-4.2:
 openssl-1.0.2d/debian/rules:29 CONFARGS  = ... no-ssl2 ...
 /usr/include/x86_64-linux-gnu/openssl/opensslconf.h:44:#ifndef OPENSSL_NO_SSL2
 /usr/include/x86_64-linux-gnu/openssl/opensslconf.h:45:# define OPENSSL_NO_SSL2

 /usr/include/openssl/ssl.h:361:# if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
 /usr/include/openssl/ssl.h:362:#  define OPENSSL_NO_SSL2
 /usr/include/openssl/ssl.h:2348:# ifndef OPENSSL_NO_SSL2

 $ objdump -T /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0  | grep SSLv2_method
 -
 $ cpp /usr/include/openssl/ssl.h | grep SSLv2_
 -

Debian Jessie
 openssl-1.0.1t/debian/rules:29 CONFARGS  = ... no-ssl2 ... 
 /usr/include/x86_64-linux-gnu/openssl/opensslconf.h:38:#ifndef OPENSSL_NO_SSL2
 /usr/include/x86_64-linux-gnu/openssl/opensslconf.h:39:# define OPENSSL_NO_SSL2

 /usr/include/openssl/ssl.h:357:# if (defined(OPENSSL_NO_RSA) || defined(OPENSSL_NO_MD5)) && !defined(OPENSSL_NO_SSL2)
 /usr/include/openssl/ssl.h:358:#  define OPENSSL_NO_SSL2
 /usr/include/openssl/ssl.h:2020:# ifndef OPENSSL_NO_SSL2_METHOD

 $ objdump -T /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0  | grep SSLv2_method
 0000000000013eb0 g    DF .text  0000000000000003  OPENSSL_1.0.0 SSLv2_method

Summary:
 On both UCS and Debian NO_SSL gets defined.
 Only on UCS that is used to skip the SSL2 methods: SSLv3-*method() are *NOT* declared.
 On Debian they are built as NO_SSL2_METHOD is *never* defined anywhere: SSLv3*methos() *are* available.
Comment 7 Philipp Hahn univentionstaff 2017-06-08 16:34:53 CEST 
Debian contains debian/patches/ssl2-detection.patch <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849802>
 -#ifdef OPENSSL_NO_SSL2
 +#ifdef OPENSSL_NO_SSL2_METHOD
As NO_SSL2_METHOD is never defined, the code is *not* included in Debian - which is correct, as the Debian OpenSSL still *has* the symbols (the NULL return function):

$ objdump -d /usr/lib/x86_64-linux-gnu/libssl.so.1.0.0 | sed '/<SSLv2_method>:/,/^$/!d'
0000000000013eb0 <SSLv2_method>:
   13eb0:       31 c0                   xor    %eax,%eax
   13eb2:       c3                      retq   
   13eb3:       66 66 66 66 2e 0f 1f    data16 data16 data16 nopw %cs:0x0(%rax,%rax,1)

The OPENSSL_NO_SSL2_METHOD change was introduced with
 OpenSSL_1_0_1t~28 << Debian-1.0.1t → OK
 OpenSSL_1_0_2h~33 >> UCS-1.0.2d → FAIL

We imported 1.0.2h from Debian Jessie-Backports and re-built it for UCS-4.2 (Bug #44143)
It is now out-of-date, as 1.0.2k is available in Debian Jessie-Backports: <https://packages.debian.org/search?keywords=openssl&searchon=sourcenames&suite=all&section=all>
It fixed several new bugs (Bug #42925)

r17532 | Bug #44741 python-cryptography: Adapt to OpenSSL-1.0.2k

repo_admin.py -U -p python-cryptography -d jessie -r 4.2 -s errata4.2-0
build-package-ng -r 4.2 -s errata4.2-0 -p python-cryptography

Package: python-cryptography
Version: 0.6.1-1+deb8u1A~4.2.0.201706081447
Version: 0.6.1-1+deb8u1A~4.2.0.201706081606
Branch: ucs_4.2-0
Scope: errata4.2-0

QA: python -c 'import OpenSSL.SSL'
Comment 8 Philipp Hahn univentionstaff 2017-06-08 16:35:10 CEST 
r80091 | Bug #44741 python-cryptography YAML
Comment 9 Daniel Tröder univentionstaff 2017-06-12 12:28:17 CEST 
OK: patch
OK: built for i386 and amd64
OK: advisory
OK: manual test
OK: automated tests from 84_crypto (01_openssl_protocol_versions, 02_openssl-ruby, 03_openssl-python)

r80119: enable ucs-test-crypto in jenkins runs (ucs-test 7.0.21-44)
Comment 10 Daniel Tröder univentionstaff 2017-06-14 11:16:45 CEST 
OK: ucs-test-crypto (84_crypto) tests are now successfully executed by Jenkins.
Comment 11 Janek Walkenhorst univentionstaff 2017-06-15 17:58:24 CEST 
<http://errata.software-univention.de/ucs/4.2/30.html>
First Last Prev Next    This bug is not in your last search results.