salt-ssh: ssl.SSLError: unknown error (_ssl.c:2788)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
salt (Debian) |
Fix Released
|
Unknown
|
|||
salt (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned |
Bug Description
See also https:/
As per Debian bug, importing the module directly / running the problematic code in python interpreter works fine.
On debugging, I found another error reproducible with the following:
---
>>> import ssl
>>> if ssl is not None:
... # Note that the naming of ssl.Purpose is confusing; the purpose
... # of a context is to authentiate the opposite side of the connection.
... _client_
... ssl.Purpose.
... _server_
... ssl.Purpose.
... if hasattr(ssl, 'OP_NO_
... # See netutil.
... _client_
... _server_
...
>>> import salt.utils.rsax931
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
libcrypto = _init_libcrypto()
File "/usr/lib/
raise OSError("Failed to initialize OpenSSL library (OPENSSL_
OSError: Failed to initialize OpenSSL library (OPENSSL_
---
I found an upstream bug (https:/
https:/
Back to the original error, this is a minimal test for it.
---
>>> from ctypes import cdll
>>> libcrypto = cdll.LoadLibrar
>>> libcrypto.
1
>>> import ssl
>>> ssl.create_
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/
context = SSLContext(
File "/usr/lib/
self = _SSLContext.
ssl.SSLError: unknown error (_ssl.c:2788)
---
If you reverse the ssl and libcrypto parts, OPENSSL_init_crypto instead returns zero. So the underlying problem is the order of which imports are done. Tornado (ergo ssl) _must_ be imported first before the libcrypto library loading in salt are ran, otherwise the program dies.
I couldn't see any specific fix in salt relating to this error, however the package version (2017.7.4+dfsg1-1) is sorely out of date with the current release (2018.3.x), maybe this new version fixes this indirectly with some import refactorings.
ProblemType: Bug
DistroRelease: Ubuntu 18.10
Package: salt-ssh 2017.7.4+dfsg1-1
ProcVersionSign
Uname: Linux 4.18.0-12-generic x86_64
ApportVersion: 2.20.10-0ubuntu13.1
Architecture: amd64
CurrentDesktop: pop:GNOME
Date: Fri Dec 21 12:17:09 2018
PackageArchitec
SourcePackage: salt
UpgradeStatus: Upgraded to cosmic on 2018-12-02 (18 days ago)
modified.
modified.
mtime.conffile.
mtime.conffile.
Changed in salt (Debian): | |
status: | Unknown → Fix Released |
One possible cause might be the tornado package itself.
Upstream salt has the following dependency requirements.
--- =4.2.1, <6.0; python_version < '3' =4.2.1, <5.0; python_version >= '3.4'
tornado>
tornado>
---
However the tornado package maintainer pushed the untested/ unsupported version 5.0.2-1build1 into the cosmic release.