[Python-bugs-list] [Bug #132460] SSL Support (Apparently) Broken on Solaris

[noreply@sourceforge.net]

Bug #132460, was updated on 2001-Feb-14 19:14
Here is a current snapshot of the bug.

Project: Python
Category: Extension Modules
Status: Open
Resolution: None
Bug Group: Platform-specific
Priority: 5
Submitted by: beazley
Assigned to : nobody
Summary: SSL Support (Apparently) Broken on Solaris

Details: I have spent about 10 hours banging on this with no luck.

Python   :  Python-2.0
Platform :  SPARC Solaris 2.8
Compiler :  Sun Workshop Pro v5.0, gcc-2.95-2
OpenSSL  :  openssl-0.9.6 and 0.9.5.

Problem -

All attempts to open a SSL connection result in an "SSL_connect error".

I have tried various combinations of keys and certificates.
I have looked at the Python source code extensively and added debugging to
try and get more information.  I have run the system using the openssl
s_client and s_server testing tools.   I have recompiled everything in
various configurations of versions and compilers.  In all cases, the same
error is generated.

That said, has *ANYBODY* gotten this to work on Solaris?  
If so, do you have any details that can be shared?

Cheers,

Dave
  
P.S. I will submit a patch if I can ever get this to actually work.

Follow-Ups:

Date: 2001-Feb-15 06:12
By: beazley

Comment:
A followup on this bug....  It appears that Python is not properly
seeding the OpenSSL random number generator when it creates a secure
socket.  This, in turn, causes the SSL_connect() function to fail due
to improper random number seeding (although the error wasn't
obvious--at least not to me).   This is also due to an apparent
"feature" of Solaris not providing a usable /dev/random device.
 
A simple fix is to modify init_socket() in socketmodule.c to include
a call to RAND_seed() like this:                                     

#ifdef USE_SSL
        SSL_load_error_strings();
        SSLeay_add_ssl_algorithms();
        /* Sick hack for Solaris */
        {
           char bogus[64];
           /* Fill in bogus with some random noise */
           ...
           RAND_seed(bogus, 64);
        }
        ...
#endif
 
Presumably one would need to think about the randomness actually
passed to RAND_seed()  (I have done nothing above).                   


Here are related comments from the OpenSSL FAQ: 

"Cryptographic software needs a source of unpredictable data to work
correctly. Many open source operating systems provide a "randomness
device" that serves this purpose. On other systems, applications have
to call the RAND_add() or RAND_seed() function with appropriate data
before generating keys or performing public key encryption.     

Some broken applications do not do this. As of version
0.9.5, the OpenSSL functions that need randomness report an error if
the random number generator has not been seeded with at least 128 bits of
randomness. If this error occurs, please contact the author of the
application you are using. It is likely that it never worked
correctly. OpenSSL 0.9.5 and later make the error visible by refusing
to perform potentially insecure encryption."
 
Python-2.1a2 does not appear to include a fix, but I can't test it to
find out (since 2.1a2 doesn't compile on my machine).                   

Cheers,

Dave

-------------------------------------------------------

For detailed info, follow this link:
http://sourceforge.net/bugs/?func=detailbug&bug_id=132460&group_id=5470