patching python eventlet to workaround OpenSSL TLS 1.1 bug in Ubuntu 12.04

Question

I've just ran into a bug in OpenSSL in Ubuntu 12.04 with TLS connections and I need to workaround it. Bug brief - on Ubuntu 12.04 bug in OpenSSL implementation makes various calls to HTTPS with TLS 1.1 fail randomly.

The usual python workaround is also provided on that link above, and it basically enforces TLS 1.0 to be used instead of TLS 1.1. Yet that workaround doesn't work for me out of the box because I'm using eventlet lib that implements non-blocking HTTP requests.

As I understand - eventlet library redefines some classes related to the matter and particularly - the httplib.HTTPSConnection class that I need to patch to enforce TLS 1.0.

So the question is - what exactly I need to patch in eventlet or what to redefine to enforce TLS 1.0 connection for non-blocking HTTP calls via eventlet?

Answer 1

First, you should upgrade eventlet. As of 2013-09, the latest release is 0.14 and we have large number of bugs fixed since 0.9.16.

Second, the solution provided there is a bit too complicated and only fixes httplib. If they provided solution for ssl, it would also fix HTTPS and work with eventlet.

Here's a simpler version for Python 2.6+ that fixes all SSL sockets:

import functools
import ssl

old_init = ssl.SSLSocket.__init__

@functools.wraps(old_init)
def ubuntu_openssl_bug_965371(self, *args, **kwargs):
  kwargs['ssl_version'] = ssl.PROTOCOL_TLSv1
  old_init(self, *args, **kwargs)

ssl.SSLSocket.__init__ = ubuntu_openssl_bug_965371

I don't have access to broken system right now, so I can't really test it. Does not break good version of openssl.

Answer 2

A simple fix that worked for me was to override SSL's default protocol:

import ssl
ssl.PROTOCOL_SSLv23 = ssl.PROTOCOL_TLSv1