Discussion:
Bug#843631: AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
George B.
2016-11-08 12:35:52 UTC
Permalink
Package: python-openssl
Version: 16.1.0-1
Severity: critical
Justification: breaks unrelated software

Hello,

I get the following exception when running my Ansible playbook. Looking
at the trace the error appears to be coming all the way from Python
OpenSSL library, so filing a bug here.

```
Traceback (most recent call last):
File "/usr/bin/ansible-playbook", line 92, in <module>
exit_code = cli.run()
File "/usr/lib/python2.7/dist-packages/ansible/cli/playbook.py",
line 154, in run
results = pbex.run()
File
"/usr/lib/python2.7/dist-packages/ansible/executor/playbook_executor.py",
line 81, in run
self._tqm.load_callbacks()
File
"/usr/lib/python2.7/dist-packages/ansible/executor/task_queue_manager.py",
line 171, in load_callbacks
for callback_plugin in
callback_loader.all(class_only=True):
File
"/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py",
line 368, in all
self._module_cache[path] =
self._load_module_source(name, path)
File
"/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py",
line 319, in _load_module_source
module = imp.load_source(name, path,
module_file)
File
"/usr/lib/python2.7/dist-packages/ansible/plugins/callback/hipchat.py",
line 32, in <module>
from ansible.module_utils.urls
import open_url
File
"/usr/lib/python2.7/dist-packages/ansible/module_utils/urls.py",
line 128, in <module>
from
urllib3.contrib.pyopenssl
import ssl_wrap_socket
File
"/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py",
line 54, in <module>
import OpenSSL.SSL
File
"/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py",
line 8, in
<module>
from OpenSSL
import rand,
crypto, SSL
File
"/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py",
line 112,
in
<module>
SSL_ST_INIT
=
_lib.SSL_ST_INIT
AttributeError:
'module'
object
has no
attribute
'SSL_ST_INIT'u
```


Best regards,

George

-- System Information:
Debian Release: stretch/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.8.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages python-openssl depends on:
ii python-cryptography 1.5.3-1
ii python-six 1.10.0-3
pn python:any <none>

python-openssl recommends no packages.

Versions of packages python-openssl suggests:
pn python-openssl-dbg <none>
pn python-openssl-doc <none>

-- no debconf information
George B.
2016-11-08 13:27:20 UTC
Permalink
affects 843631 ansible
thanks

Sorry for the paste indentation fail (the irony of this being a bug in
a python package is not lost on me...)

```
ERROR! Unexpected Exception: 'module' object has no attribute 'SSL_ST_INIT'
the full traceback was:

Traceback (most recent call last):
File "/usr/bin/ansible-playbook", line 92, in <module>
exit_code = cli.run()
File "/usr/lib/python2.7/dist-packages/ansible/cli/playbook.py",
line 154, in run
results = pbex.run()
File "/usr/lib/python2.7/dist-packages/ansible/executor/playbook_executor.py",
line 81, in run
self._tqm.load_callbacks()
File "/usr/lib/python2.7/dist-packages/ansible/executor/task_queue_manager.py",
line 171, in load_callbacks
for callback_plugin in callback_loader.all(class_only=True):
File "/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py",
line 368, in all
self._module_cache[path] = self._load_module_source(name, path)
File "/usr/lib/python2.7/dist-packages/ansible/plugins/__init__.py",
line 319, in _load_module_source
module = imp.load_source(name, path, module_file)
File "/usr/lib/python2.7/dist-packages/ansible/plugins/callback/hipchat.py",
line 32, in <module>
from ansible.module_utils.urls import open_url
File "/usr/lib/python2.7/dist-packages/ansible/module_utils/urls.py",
line 128, in <module>
from urllib3.contrib.pyopenssl import ssl_wrap_socket
File "/usr/lib/python2.7/dist-packages/urllib3/contrib/pyopenssl.py",
line 54, in <module>
import OpenSSL.SSL
File "/usr/lib/python2.7/dist-packages/OpenSSL/__init__.py", line 8,
in <module>
from OpenSSL import rand, crypto, SSL
File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in <module>
SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
```


George
Sandro Tosi
2016-11-08 14:08:53 UTC
Permalink
control: clone -1
control: reassign -1 python-cryptography
control: retitle -1 STOP BREAKING PYOPENSSL WHEN UPLOADING CRYPTOGRAPHY
Post by George B.
from OpenSSL import rand, crypto, SSL
File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in <module>
SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
_lib in SSL.py comes from _utils.lib, which is:

```
from cryptography.hazmat.bindings.openssl.binding import Binding

binding = Binding()
binding.init_static_locks()
ffi = binding.ffi
lib = binding.lib
```

and not surprisingly there was an update to python-cryptography
yesterday. my mirror still has the old version (1.5.2-1) and works
fine, you have installed 1.5.3-1 and it's broken. George, i'll try to
upgrade pyopenssl soon and taht will hopefully fix this.

Tristan, this is the third or forth time you updated
python-cryptography and broke pyopenssl. This has to stop. now. and
forever. You've proved you're unable to deal with cryptography without
causing a huge about of issues to downstream packages, so learn to
test your reverse dependencies, even more in this case since
cryptography and pyopenssl are so tightly coupled, or orphan
cryptography and let a skillful maintainer pick it up.
--
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi
Sandro Tosi
2016-11-08 14:22:50 UTC
Permalink
control: clone -1 -2
control: reassign -2 pyopenssl
control: retitle -2 AttributeError: 'module' object has no attribute
'SSL_ST_INIT'

gaah actually cloning
Post by Sandro Tosi
control: clone -1
control: reassign -1 python-cryptography
control: retitle -1 STOP BREAKING PYOPENSSL WHEN UPLOADING CRYPTOGRAPHY
Post by George B.
from OpenSSL import rand, crypto, SSL
File "/usr/lib/python2.7/dist-packages/OpenSSL/SSL.py", line 112, in <module>
SSL_ST_INIT = _lib.SSL_ST_INIT
AttributeError: 'module' object has no attribute 'SSL_ST_INIT'
```
from cryptography.hazmat.bindings.openssl.binding import Binding
binding = Binding()
binding.init_static_locks()
ffi = binding.ffi
lib = binding.lib
```
and not surprisingly there was an update to python-cryptography
yesterday. my mirror still has the old version (1.5.2-1) and works
fine, you have installed 1.5.3-1 and it's broken. George, i'll try to
upgrade pyopenssl soon and taht will hopefully fix this.
Tristan, this is the third or forth time you updated
python-cryptography and broke pyopenssl. This has to stop. now. and
forever. You've proved you're unable to deal with cryptography without
causing a huge about of issues to downstream packages, so learn to
test your reverse dependencies, even more in this case since
cryptography and pyopenssl are so tightly coupled, or orphan
cryptography and let a skillful maintainer pick it up.
--
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi
--
Sandro "morph" Tosi
My website: http://sandrotosi.me/
Me at Debian: http://wiki.debian.org/SandroTosi
G+: https://plus.google.com/u/0/+SandroTosi
Tristan Seligmann
2016-11-08 17:39:42 UTC
Permalink
Hi Sandro,

I appreciate your frustration here, and as the maintainer of
python-cryptography of course I'm responsible when there are issues with
the package.

That said, I did actually test pyopenssl before uploading this version, and
it was working locally; in addition, the diff from 1.5.2 to 1.5.3 is almost
trivial (I've attached it for reference); the HKDF fix is a one line change
plus an added test, and the only other changes are bumping the version
number, so I'm still looking into the actual cause of the problem.

I think the mistake I made when testing locally was that I didn't update my
build chroot first; if the problem is related to newer build-dependencies
(eg. python-cffi) then that would explain why my local package does not
exhibit the problem while the one from the buildds does. (Of course this is
the result of rushing the 1.5.3 update; I do know better than to rush out a
"trivial" update, as these things often turn out to be less trivial than
assumed, but I felt there was some urgency to getting the new package into
unstable as the security issue is more likely to affect users there and I
guess I let this override my better judgement)

I will follow up again once I track down the root cause of the problem.
Loading...