Ross, Jonathan,
I was the guilty one to put the log line, since I had to debug the new
ssl code which can optionally check for a client submitted x509 cert.
I left it there because IMHO the try/except/pass pattern can be
dangerous and hide serious low level errors.
The specific matter seems to point to an error happening only on
certain Python and/or OpenSSL version combinations. *It seems
harmless*.
What I can suggest is trying to upgrade to latest OpenSSL major
version and Python minor and see the problem persists. It does not
depend on Web2Py for as much I can see.
In any case even if it is clear that the error was there before but
hiddend, it must be addressed because it is related to security and
integrity of the trasmitted data.
mic
2011/9/26 Jonathan Lundell <jlund...@pobox.com>:
> On Sep 26, 2011, at 8:27 AM, Ross Peoples wrote:
>
>> It was the admin application, which should be using HTTPS when you access it
>> over HTTPS right? I just tried with a test app and the same thing happens.
>>
>> I commented out like 518 in rocket.py and that silences the errors, but is
>> that a good thing?
>
> I don't know. I looked at the recent changes in rocket.py, and the addition
> of that log line is the only change that I can see that looks relevant if
> you're not using a client certificate. Notice the (existing) comment:
>
> except SSLError:
> # Generally this happens when an HTTP request is received on a
> # secure socket. We don't do anything because it will be detected
> # by Worker and dealt with appropriately.
> self.err_log.error('SSL Error: %s' % traceback.format_exc())
> <<<<<-- this was added
> pass
>
> It may well be that the lack of a log here was hiding *other* errors that we
> ought to know about.
>
> There is actually one other block of new code:
>
> if conn.ssl:
> try:
> peercert = conn.socket.getpeercert(binary_form=True)
> environ['SSL_CLIENT_RAW_CERT'] = \
> peercert and ssl.DER_cert_to_PEM_cert(peercert)
> except Exception,e:
> print e
>
> The cert is being captured for use by the X509 code. Looks harmless, and
> you're not getting that exception.
>
>
>>
>> There might be another problem here. I just checked the traffic going to my
>> test app and all requested files (including the static ones) are requested
>> over HTTPS, however, Google Chrome has disabled my JavaScript because "This
>> page has insecure content". All the static files are loaded locally (I'm not
>> using a CDN or anything). So are the files getting returned to the browser
>> over HTTP instead of HTTPS or something and that's why the rocket error was
>> happening?
>
>
>
