Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Tracebacks in cheroot with ssl and "builtin" in production use, reproducible with with "openssl s_client" and testssl.sh

See original GitHub issue

❓ I’m submitting a …

🐞 bug report
🐣 feature request
❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?

SABnzbd uses cherrypy and cheroot. In production use, SABnzbd gets cherrypy / cheroot Tracebacks from port scanners and other strange connections. SABnzbd does show Tracebacks to the user, which is annoying.

These Tracebacks are reproducible by running a pure cheroot server, and then connecting to it with

echo "\n" | openssl s_client -connect 127.0.0.1:8070 -tls1
the testssl.sh testing tool (https://github.com/drwetter/testssl.sh) talking against the cheroot server.

Note: this only happens with builtin. Not any error with pyopenssl. However, using pyopenssl is not an option for SABnbd, right @Safihre ?

❓ What is the motivation / use case for changing the behavior?

Avoiding Tracebacks

💡 To Reproduce

Start a pure cheroot server:

#!/usr/bin/python3

from cheroot import wsgi
def my_crazy_app(environ, start_response):
    status = '200 OK'
    response_headers = [('Content-type','text/plain')]
    start_response(status, response_headers)
    return [b'Hello world!']
addr = '0.0.0.0', 8070
server = wsgi.Server(addr, my_crazy_app)

# the SSL stuff:
from cheroot.server import get_ssl_adapter_class
server.ssl_adapter = get_ssl_adapter_class(name='builtin')('./server.cert', './server.key')

server.start()

Then run the openssl CLI client against cheroot; see follouw-up post below https://github.com/cherrypy/cheroot/issues/292#issuecomment-641413394

Or automatic, heavy testing: run testssl.sh against the cheroot server:

./testssl.sh 127.0.0.1:8070

cheroot will start spitting out Tracebacks, for example:

Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: VERSION_TOO_LOW] version too low (_ssl.c:1108)

Summary of errors seen in the Tracebacks:

ssl.SSLError: [SSL: BAD_ALERT_RECORD] no suitable key share (_ssl.c:1108)
ssl.SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:1108)
ssl.SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1108)
ssl.SSLError: [SSL] internal error (_ssl.c:1108)
ssl.SSLError: [SSL: LENGTH_MISMATCH] length mismatch (_ssl.c:1108)
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
ssl.SSLError: [SSL: VERSION_TOO_LOW] version too low (_ssl.c:1108)

💡 Expected behavior

No Traceback. Main reason: the ssl.SSLError is not a big deal, certainly not on the server side: just a non-compliant client. Let the client take care of it, not the server. The cheroot sould care too much about it; just ignore.

FWIW / As reference: running testssl.sh against apache2 gives normal, nice logging and results:

access.log

192.168.1.119 - - [09/Jun/2020:17:48:38 +0200] "GET / HTTP/1.1" 200 3679 "-" "TLS tester from https://testssl.sh/dev/"
192.168.1.119 - - [09/Jun/2020:17:49:24 +0200] "GET / HTTP/1.1" 200 3679 "-" "TLS tester from https://testssl.sh/dev/"
192.168.1.119 - - [09/Jun/2020:17:49:25 +0200] "GET / HTTP/1.1" 200 3679 "-" "TLS tester from https://testssl.sh/dev/"
192.168.1.119 - - [09/Jun/2020:17:49:50 +0200] "GET / HTTP/1.1" 200 3666 "https://google.com/" "TLS tester from https://testssl.sh/dev/"
192.168.1.119 - - [09/Jun/2020:17:49:51 +0200] "GET / HTTP/1.1" 200 3679 "https://google.com/" "TLS tester from https://testssl.sh/dev/"
192.168.1.119 - - [09/Jun/2020:17:49:52 +0200] "GET / HTTP/1.1" 200 3679 "https://google.com/" "TLS tester from https://testssl.sh/dev/"
192.168.1.119 - - [09/Jun/2020:17:49:53 +0200] "GET / HTTP/1.1" 200 3679 "https://google.com/" "TLS tester from https://testssl.sh/dev/"

error.log

[Tue Jun 09 17:49:48.591264 2020] [ssl:error] [pid 1003:tid 281473206698400] [client 192.168.1.119:56918] AH02042: rejecting client initiated renegotiation
[Tue Jun 09 17:49:49.678955 2020] [ssl:error] [pid 1004:tid 281473809244576] [client 192.168.1.119:56920] AH02042: rejecting client initiated renegotiation

📋 Details

See below for one run of testssl.sh

📋 Environment

Cheroot version: 8.3.0
CherryPy version: not applicable
Python version: 3.8.2
OS: Ubuntu 20.04
Browser: testssl.sh

📋 Additional context

$ python3 cheroot_only.py 
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: VERSION_TOO_LOW] version too low (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: BAD_ALERT_RECORD] no suitable key share (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: VERSION_TOO_LOW] version too low (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: BAD_RSA_DECRYPT] no suitable signature algorithm (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL] internal error (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: LENGTH_MISMATCH] length mismatch (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: DECRYPTION_FAILED_OR_BAD_RECORD_MAC] decryption failed or bad record mac (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: VERSION_TOO_LOW] version too low (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)
Error in HTTPServer.tick
Traceback (most recent call last):
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1776, in serve
    self.tick()
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/server.py", line 1999, in tick
    conn = self.connections.get_conn(self.socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 180, in get_conn
    return self._from_server_socket(server_socket)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/connections.py", line 199, in _from_server_socket
    s, ssl_env = self.server.ssl_adapter.wrap(s)
  File "/home/sander/.local/lib/python3.8/site-packages/cheroot/ssl/builtin.py", line 242, in wrap
    s = self.context.wrap_socket(
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)

Result in SABnzbd:

Issue Analytics

State:
Created 3 years ago
Comments:25 (25 by maintainers)

Top GitHub Comments

1reaction

sanderjocommented, Jul 19, 2020

OK, here we go:

$ cat errors.txt  | grep -vi -e "^ "  | sort -u  | grep ssl.SSLError | sed -e 's/.*\] \(.*\)(_ssl.*/\1/'
no suitable key share 
no suitable signature algorithm 
decryption failed or bad record mac 
internal error 
length mismatch 
unsupported protocol 
version too low

So changed the code to

                _block_errors = (
                    'unknown protocol', 'unknown ca', 'unknown_ca',
                    'unknown error',
                    'https proxy request', 'inappropriate fallback',
                    'wrong version number',
                    'no shared cipher', 'certificate unknown',
                    'ccs received early',
                    'certificate verify failed',  # client cert w/o trusted CA
                    'unexpected message',
                    'no suitable key share',
                    'no suitable signature algorithm',
                    'decryption failed or bad record mac',
                    'internal error', 
                    'length mismatch', 
                    'unsupported protocol', 
                    'version too low', 
                )
                if _assert_ssl_exc_contains(ex, *_block_errors):
                    # Accepted error, let's pass
                    return EMPTY_RESULT

And run testssl.sh against it … and not one error.

(Note: why not filter on UNSUPPORTED_PROTOCOL instead of unsupported protocol?)

OK. Great. But why filter on those results at all? Wouldn’t it be OK to just default ssl.SSL_ERROR_SSL to return EMPTY_RESULT? Is there anything useful builtin.py does / can do with ssl.SSL_ERROR_SSL?

1reaction

Safihrecommented, Jun 10, 2020

The same as the already listed errors: drop and ignore. I suggest we just extend the list already there with the new errors.

Top Results From Across the Web

testssl.sh: /bin/bash based SSL/TLS tester

is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well...

TLS 1.2 Testing - Content Authoring - BigFix Forum

Has anyone created any fixlets that leverage https://testssl.sh ? What I am looking for is something that will iterate through the open ports...

drwetter/testssl.sh - Gitter

Hello All!, I'm trying test my application with testssl but we are getting an error, please could you take a look ? Windows...

TestSSL.sh –Assessing SSL/TLS Configurations at Scale

One great way to do this is to use EyeWitness. This tool is best known for assisting in performing quick triage of Nessus...

https://git.progress-linux.org/packages/engywuck-b...

But also if your fine with those restrictions: testssl.sh is meant as a tool ... DO NOT USE it for production COLOR=${COLOR:-2} #...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Tracebacks in cheroot with ssl and "builtin" in production use, reproducible with with "openssl s_client" and testssl.sh

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

A TLS-related traceback shows up during CherryPy startup on Windows 10

with "-X dev": ResourceWarning: unclosed <ssl.SSLSocket fd=4 ...