Issue1688

classification
Title: xmlrpclib client fails to XML RPC server over ssl
Type: behaviour Severity: normal
Components: Library Versions: 2.5.2rc
Milestone:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: amak Nosy List: amak, public.marvin
Priority: Keywords:

Created on 2010-12-17.05:15:24 by public.marvin, last changed 2012-03-29.19:10:08 by amak.

Files
File name Uploaded Description Edit Remove
sslxmlrpclibserver.py public.marvin, 2010-12-17.15:19:32 sample xmlrpc server, in python
xmltest.py public.marvin, 2010-12-17.15:20:30
server.key public.marvin, 2010-12-17.15:30:48
server.crt public.marvin, 2010-12-17.15:31:10
Messages
msg6282 (view) Author: marvin greenberg (public.marvin) Date: 2010-12-17.05:15:23
A small example shows the failure.  Of course this requires an xml server to be running and using ssl, which is more work than I can do now to set up for this issue.  This may be related to http://bugs.jython.org/issue1152612.

xmltest.py:
import xmlrpclib
sp = xmlrpclib.ServerProxy('https://localhost:9999/v2/xmlrpc')
print sp.repo.authenticate('test','test')

bash-3.2$ python xmltest.py 
python xmltest.py 
<prints an authentication token>
bash-3.2$ jython xmltest.py 
jython xmltest.py 
Traceback (most recent call last):
  File "xmltest.py", line 3, in <module>
    print sp.repo.authenticate('test','test')
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/xmlrpclib.py", line 1147, in __call__
    return self.__send(self.__name, args)
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/xmlrpclib.py", line 1433, in _ServerProxy__request
    response = self.__transport.request(
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/xmlrpclib.py", line 1183, in request
    self.send_content(h, request_body)
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/xmlrpclib.py", line 1297, in send_content
    connection.endheaders()
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/httplib.py", line 860, in endheaders
    self._send_output()
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/httplib.py", line 732, in _send_output
    self.send(msg)
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/httplib.py", line 699, in send
    self.connect()
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/httplib.py", line 1135, in connect
    ssl = socket.ssl(sock, self.key_file, self.cert_file)
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/socket.py", line 1487, in ssl
    return _realssl(sock, keyfile, certfile)
  File "/private/tmp/Build/TENA_MIDDLEWARE/install/TENA/eclipse/plugins/org.jython_2.5.2/Lib/socket.py", line 1436, in __init__
    raise _map_exception(jlx)
socket.sslerror: (-1, 'SSL handshake exception')
bash-3.2$ jython -V; python -V
Jython 2.5.2rc2
Python 2.6.1
msg6283 (view) Author: marvin greenberg (public.marvin) Date: 2010-12-17.15:19:32
OK, here's an ssl python server with some dummy self signed certs that demonstrates the complete problem for the jython client.

Use attached xmltest.py.  python xmltest.py works.  jython xmltest.py fails.  Server is based on activestate recipe.
msg6284 (view) Author: marvin greenberg (public.marvin) Date: 2010-12-17.15:20:30
modified xmltest.py to talk to sslxmlrpclibserver.py
msg6285 (view) Author: marvin greenberg (public.marvin) Date: 2010-12-17.15:30:48
key file for use with sslxmlrpclibserver.py
msg6286 (view) Author: marvin greenberg (public.marvin) Date: 2010-12-17.15:31:10
cert file for use with sslxmlrpclibserver.py
msg6287 (view) Author: marvin greenberg (public.marvin) Date: 2010-12-18.13:40:26
Same problem whether server side is java or python
msg6844 (view) Author: Alan Kennedy (amak) Date: 2012-03-19.19:50:55
> "Same problem whether server side is java or python"

Are you saying that your server does not work in cpython?

Jython does not support server side SSL, only client side. Any attempt to make it work will fail.
msg6905 (view) Author: marvin greenberg (public.marvin) Date: 2012-03-20.01:03:26
I am saying that the jython CLIENT xmltest.py failed, when connecting to the server sslxmlrpclibserver.py (whether the server was run under cpython or jython).  Apparently you are saying that SSL servers from jython do not work, <sigh>, but irrelevant.
msg6933 (view) Author: Alan Kennedy (amak) Date: 2012-03-20.21:02:54
> Apparently you are saying that SSL servers from jython do not work, <sigh>, but irrelevant.

Yes that's true. Patches are welcome.

> I am saying that the jython CLIENT xmltest.py failed, when connecting to the server sslxmlrpclibserver.py

This is your jython client code

# ------------------
import xmlrpclib

server = xmlrpclib.ServerProxy('https://localhost:8443')
print server.add(1,2)
print server.div(10,4)
# ------------------

I see no code for managing certificates?

Jython is not like cpython. Cpython does not verify the chain of trust for server certificates. Jython does verify the chain of trust, and will refuse to open the connection if it cannot verify the server.

So you have two options.

1. Disable certificate checking on jython

http://jython.xhaus.com/installing-an-all-trusting-security-provider-on-java-and-jython/
http://tech.pedersen-live.com/2010/10/trusting-all-certificates-in-jython/

2. Add your (self-signed?) certificate to your local java trust store, so that your client will trust your server.

Google("java install self-signed certificate")
msg6950 (view) Author: marvin greenberg (public.marvin) Date: 2012-03-21.15:13:45
OK.  Closing the case seems fine to me.  (as an aside, <sigh> was not about a missing capability, but about how hard it can be to find the differences between jython and cpython.  but, I don't mean to be an annoying whining user...)
msg6977 (view) Author: Alan Kennedy (amak) Date: 2012-03-29.18:16:26
Closing the case in agreement with the submitter.

Noted that the documentation could be more up-to-date. We are moving to a new documentation system with 2.7, which will hopefully improve this situation.

Also, I am going to add documentation link to the exception for "SSL Handshake Error", which otherwise might be confusing to those less familiar with java networking.
msg6980 (view) Author: Alan Kennedy (amak) Date: 2012-03-29.19:10:08
Documentation link added to SSL exception messages

http://hg.python.org/jython/rev/29a0cbeffdbd
http://hg.python.org/jython/rev/e92d8b276f06
History
Date User Action Args
2012-03-29 19:10:08amaksetmessages: + msg6980
2012-03-29 18:16:26amaksetstatus: open -> closed
resolution: fixed
messages: + msg6977
2012-03-21 15:13:45public.marvinsetmessages: + msg6950
2012-03-20 21:02:54amaksetmessages: + msg6933
2012-03-20 01:03:26public.marvinsetmessages: + msg6905
2012-03-19 19:50:55amaksetassignee: amak
messages: + msg6844
nosy: + amak
2010-12-18 13:40:26public.marvinsetmessages: + msg6287
title: xmlrpclib client fails to Java XML RPC server over ssl -> xmlrpclib client fails to XML RPC server over ssl
2010-12-17 15:31:10public.marvinsetfiles: + server.crt
messages: + msg6286
2010-12-17 15:30:48public.marvinsetfiles: + server.key
messages: + msg6285
2010-12-17 15:20:30public.marvinsetfiles: + xmltest.py
messages: + msg6284
2010-12-17 15:19:33public.marvinsetfiles: + sslxmlrpclibserver.py
messages: + msg6283
2010-12-17 05:15:24public.marvincreate