Issue2614

classification
Title: "SSLError: [Errno 1] Illegal state exception" error message while using jython 2.7.0 standalone jar
Type: security Severity: critical
Components: Installer Versions: Jython 2.7
Milestone: Jython 2.7.0
process
Status: pending Resolution: invalid
Dependencies: Superseder:
Assigned To: Nosy List: Neha, stefan.richthofer, zyasoft
Priority: Keywords:

Created on 2017-08-08.07:28:07 by Neha, last changed 2017-09-13.17:40:45 by zyasoft.

Messages
msg11527 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-08.07:28:06
jython-standalone-2.7.0 jar execution is causing issue in our project. This lib is being used in our project SCCM i.e java project to execute some of the python scripts. The script execution is failing frequently giving error message "illegal state exception". Not able to understand what can be issue. I think that error is being thrown from jython code.  The old version of this jar was not causing issue. After upgrading to jython 2.7 standalone jar, this issue is being observed very frequently.
msg11528 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2017-08-08.10:13:15
Neha, please provide more information.
- How does the project use/embedd/access jython-standalone?
- the full stacktrace
- if possible: Code to reproduce the issue
- What platform are you on?

That said, please check out Jython 2.7.1 and report if the issue still occurs.
msg11529 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-09.06:07:01
- How does the project use/embedd/access jython-standalone?
We have created a few scripts which use the python scripts from the jython-2.7.0-standalone.jar
We are using the python utilities httplib, xml.etree.ElementTree as xmltree, urlparse, pprint, types, getopt, re, shutil.
These are utilized for reading the data using the OSLC API.


- the full stacktrace
Log Trace-
Traceback (most recent call last):
  File "<console>", line 2, in <module>
  File "/opt/ibm/sccm/bin/sccm/dataSources.py", line 319, in createMessageBrokerDataSource
    return self.__createDataSource(messageBrokerDataSource, attrs)
  File "/opt/ibm/sccm/bin/sccm/dataSources.py", line 302, in _dataSources__createDataSource
    self.refresh()
  File "/opt/ibm/sccm/bin/sccm/dataSources.py", line 272, in refresh
    conn.request('GET', '/sccmOslc/dataSources?oslc_ua.action=RefreshRegistry', headers=headers)
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/httplib.py", line 1001, in request
    self._send_request(method, url, body, headers)
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/httplib.py", line 1035, in _send_request
    self.endheaders(body)
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/httplib.py", line 997, in endheaders
    self._send_output(message_body)
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/httplib.py", line 850, in _send_output
    self.send(msg)
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/httplib.py", line 812, in send
    self.connect()
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/httplib.py", line 1204, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/_socket.py", line 357, in handle_exception
    return method_or_function(*args, **kwargs)
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/_socket.py", line 357, in handle_exception
    return method_or_function(*args, **kwargs)
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/ssl.py", line 287, in wrap_socket
    return SSLSocket(
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/ssl.py", line 116, in __init__
    self.do_handshake()
  File "/opt/ibm/sccm/lib/jython-standalone-2.7.0.jar/Lib/ssl.py", line 165, in do_handshake
    raise SSLError(SSL_ERROR_SSL, e.strerror)
SSLError: [Errno 1] Illegal state exception
 

- if possible: Code to reproduce the issue
Below is one of the code snippet, however we cannot share the complete code-
def _action(self, action, silent, method='GET'):
                (conn, headers) = restConnection()
                url = '/sccmOslc/dataSources/' + self.type + '/' + self.identifier + '?oslc_ua.action=' + action
                headers['Content-Type'] = 'application/xml'
                conn.request(method, url, headers=headers)
                response = conn.getresponse()
                if response.status == 200:
                        return True
                if silent == False:
                        tree = xmltree.fromstring(response.read())
                        print str(response.status) + ': ' + tree[0].find('{http://purl.org/dc/terms/}title').text
                        print tree[0].find('{http://purl.org/dc/terms/}description').text
                return False


                
- What platform are you on?
We are using the RHEL 7.2 and 7.3 systems.
 
We would also like to point out the following-
- This issue is not seen in the jython-2.5.3-standalone.jar, but is seen very frequently in the jython 2.7.0 jar.
- We saw the below post on StackOverflow, but did not find the jython 2.7.1 version of the jar on jython.org
 
Could you share the download link for the same?

Thanks 
Neha Pithadiya.
msg11530 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2017-08-09.09:45:40
This seems to be ssl related, so adding Jim to nosy...
What JVM are you using? The path contains "ibm" folders, so I guess it is IBM J9...?
Find some download links for Jython 2.7.1 here: http://fwierzbicki.blogspot.de/2017/07/jython-271-final-released.html

Netty and various third party libs were updated, so this could definitely make a difference.

Unfortunately I self cannot help on this issue right now. Just wanted to make sure that all necessary information is logged here for further steps.
msg11531 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-09.10:04:59
we use IBM java SDK 8.0.4.2
msg11532 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-09.10:06:13
This issue is very critical as it is breaking  some of our project functionality.
msg11533 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-09.10:44:10
Tried with jython-standalone-2.7.1.jar ,  and found below error:-

certificate verify failed (javax.net.ssl.SSLHandshakeException: General SSLEngine problem) (1)
msg11534 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-17.06:26:03
This issue is critical. Any update on this? 

Thanks in advance
Neha Pithadiya.
msg11535 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2017-08-17.08:08:29
Did you try something like in the top answer in https://stackoverflow.com/questions/6659360/how-to-solve-javax-net-ssl-sslhandshakeexception-error
?

Maybe some updates of our third party libs (bouncycastle, netty) invalidated some of your certificates, which could explain why it worked in earlier Jython versions.
So far, everything I found about the error you describe, suggests that it's not a Jython issue, but that you should revisit your security configuration.
msg11536 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-17.08:41:10
It seems that the solution provided in stackoverflow link is for jython-standlaone-2.7.1 jar issue. 

But we are using jython-standalone-2.7.0 jar where issue is not related to certificates. The error is "SSLError: [Errno 1] Illegal state exception" 
Something similar to ssl error. 

Also do you mean that, in both the jars(2.7.0 and 2.7.1) same libs were updated so that root cause is same for both the jars.
msg11537 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-17.08:49:48
Also I am not understanding which security configuration you talking about? 
I can say that our product uses IBM java-1.8 , WAS(websphere application server) liberty 16.0.0.4 server and IBM DB2 8.5.7 components. Also does it mean that this components are not supported with jython jar?

Can you provide us some workaround or solution to fix this issue?

Also are there any workaround on python code.?
msg11538 (view) Author: Neha Pithadiya (Neha) Date: 2017-08-17.09:28:31
Also one thing , could you provide jython ssl certificate to add in our keystore so that handshake is enabled. 

Thanks in advance
Neha
msg11539 (view) Author: Stefan Richthofer (stefan.richthofer) Date: 2017-08-17.11:32:34
Neha,
up to my knowledge Jython out-sources SSL handling. I don't know the details, but JVM's builtin SSL support, bouncy castle and eventually netty (that's more about sockets) do the job.
These libs were frequently updated between 2.5.x, 2.7.0 and 2.7.1. Maybe some of these components has kind of internal default trust store that accepted your certificates once, but not in the current version.

Anyway, that's just a guess. I am not an expert in SSL handling as of this writing, so I cannot really help here.

I'd strongly suggest to focus on the Jython 2.7.1 issue only. It is unlikely that anything will get fixed in Jython 2.7.0. Additionally, the 2.7.1 variant seems to be the most promising.

Please check if the procedure from the stack overflow link works with Jython 2.7.1.

> which security configuration you talking about

It looks like some certificate is missing or outdated in your JVM's trust store. With configuration I meant the setup of your JVM trust store.

> could you provide jython ssl certificate to add in our keystore?

I thought, only websites/servers and clients provide certificates. What do you mean by jython ssl? How would I provide one?
I think you would somehow generate  one for your application.
msg11594 (view) Author: Jim Baker (zyasoft) Date: 2017-09-13.17:40:44
There will be no updates to 2.7.0, that is no 2.7.0.x releases, but regressions can be fixed in 2.7.2 (or later).

I don't see anything in here other that can be reproduced. Marking as invalid unless we can get a reproducible test case.
History
Date User Action Args
2017-09-13 17:40:45zyasoftsetstatus: open -> pending
resolution: invalid
messages: + msg11594
2017-08-17 11:32:34stefan.richthofersetmessages: + msg11539
2017-08-17 09:28:31Nehasetmessages: + msg11538
2017-08-17 08:49:48Nehasetmessages: + msg11537
2017-08-17 08:41:10Nehasetmessages: + msg11536
2017-08-17 08:08:30stefan.richthofersetmessages: + msg11535
2017-08-17 06:26:04Nehasetmessages: + msg11534
2017-08-09 10:44:10Nehasetmessages: + msg11533
2017-08-09 10:06:13Nehasetmessages: + msg11532
2017-08-09 10:04:59Nehasetmessages: + msg11531
2017-08-09 09:45:41stefan.richthofersetnosy: + zyasoft
messages: + msg11530
title: "Illegal state exception" error message while using jython 2.7.0 standalone jar -> "SSLError: [Errno 1] Illegal state exception" error message while using jython 2.7.0 standalone jar
2017-08-09 06:07:02Nehasetmessages: + msg11529
2017-08-08 10:13:15stefan.richthofersetnosy: + stefan.richthofer
messages: + msg11528
title: "Illegal state exception " error message while using jython 2.7.0. standalone jar . -> "Illegal state exception" error message while using jython 2.7.0 standalone jar
2017-08-08 07:32:39Nehasetcomponents: + Installer, - Core
2017-08-08 07:28:07Nehacreate