[Freedombox-pkg-team] Bug#1075997: pagekite: Fail with python 3.12 (AttributeError: module 'ssl' has no attribute 'wrap_socket')
Petter Reinholdtsen
pere at hungry.com
Tue Jul 9 08:13:59 BST 2024
Package: python3-socksipychain
Version: 2.1.2-1
Severity: important
The pagekite version in testing (1.5.2.201011-2.1) currently fail with
python 3.12 on Freedombox, with this error in the journald log:
juli 09 08:53:22 freedombox pagekite[592]: ts=668cde62;
t=2024-07-09T06:53:22; ll=dc; err=Error in connect: Traceback (most
recent call last): File
"/usr/lib/python3/dist-packages/sockschain/__init__.py", line 200, in
SSL_Connect fd = ssl.wrap_socket(sock, keyfile=ctx.privatekey_file,
^^^^^^^^^^^^^^^ AttributeError: module 'ssl' has no attribute
'wrap_socket' During handling of the above exception, another
exception occurred: Traceback (most recent call last): File
"/usr/lib/python3/dist-packages/pagekite/proto/conns.py", line 647, in
_BackEnd data, parse = self._Connect(server, conns)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
"/usr/lib/python3/dist-packages/pagekite/proto/conns.py", line 466, in
_Connect self.fd.connect((sspec[0], int(sspec[1]))) File
"/usr/lib/python3/dist-packages/sockschain/__init__.py", line 1058, in
connect self.__negotiatessl(nexthop[0], nexthop[1], proxy, File
"/usr/lib/python3/dist-packages/sockschain/__init__.py", line 965, in
__negotiatessl self.__sock = SSL_Connect(ctx, self.__sock,
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File
"/usr/lib/python3/dist-packages/sockschain/__init__.py", line 209, in
SSL_Connect fd = ssl.wrap_socket(sock, keyfile=ctx.privatekey_file,
^^^^^^^^^^^^^^^ AttributeError: module 'ssl' has no attribute
'wrap_socket'
The problem seem to be caused by a upgrade to python 3.12, Which state
in the list of news in
<URL: https://docs.python.org/3.12/whatsnew/3.12.html#ssl >:
* Remove the ssl.wrap_socket() function, deprecated in Python 3.7:
instead, create a ssl.SSLContext object and call its
ssl.SSLContext.wrap_socket method. Any package that still uses
ssl.wrap_socket() is broken and insecure. The function neither sends
a SNI TLS extension nor validates the server hostname. Code is
subject to CWE-295 (Improper Certificate Validation).
This issue might be related to https://bugs.debian.org/914931 (Fail to
connect to pagekite.me services with openssl installed) and
https://bugs.debian.org/863740 (Fail to connect to pagekite, claim
invalid ssl cert).
The problematic code from
/usr/lib/python3/dist-packages/sockschain/__init__.py currently look
like this:
def SSL_Connect(ctx, sock,
server_side=False, accepted=False, connected=False,
verify_names=None):
if DEBUG: DEBUG('*** TLS is provided by native Python ssl')
reqs = (verify_names and ssl.CERT_REQUIRED or ssl.CERT_NONE)
try:
fd = ssl.wrap_socket(sock, keyfile=ctx.privatekey_file,
certfile=ctx.certchain_file,
cert_reqs=reqs,
ca_certs=ctx.ca_certs,
do_handshake_on_connect=False,
ssl_version=ctx.method,
ciphers=ctx.ciphers,
server_side=server_side)
except:
fd = ssl.wrap_socket(sock, keyfile=ctx.privatekey_file,
certfile=ctx.certchain_file,
cert_reqs=reqs,
ca_certs=ctx.ca_certs,
do_handshake_on_connect=False,
ssl_version=ctx.method,
server_side=server_side)
if verify_names:
fd.do_handshake()
if not SSL_CheckPeerName(fd, verify_names):
raise SSL.Error(('Cert not in %s (%s)'
) % (verify_names, reqs))
return fd
--
Happy hacking
Petter Reinholdtsen
More information about the Freedombox-pkg-team
mailing list