RC5: Python SSL Broken /DNS-320LV1

snable snable

unread,

Jun 26, 2016, 11:50:08 AM6/26/16

to Alt-F

[root@datenspeicher]# ipkg install pycrypto

Installing pycrypto (2.6.1) to /Alt-F...

Downloading http://sourceforge.net/projects/alt-f/files/pkgs/unstable/pycrypto_2.6.1_arm.ipk

Configuring pycrypto

Configuring python

Downloading pip...

--2016-06-26 17:48:21-- https://bootstrap.pypa.io/get-pip.py

Resolving bootstrap.pypa.io... 185.31.17.175

Connecting to bootstrap.pypa.io|185.31.17.175|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1524722 (1.5M) [text/x-python]

Saving to: '/tmp/get-pip.py.1'

0K ........ ........ ....... 100% 2.04M=0.7s

2016-06-26 17:48:22 (2.04 MB/s) - '/tmp/get-pip.py.1' saved [1524722/1524722]

Installing pip, please wait... python: can't resolve symbol 'SSLv2_method'

failed

postinst script returned status 1

ERROR: python.postinst returned 1

Successfully terminated.

sh: getcwd: No such file or directory

[root@datenspeicher]#

Thanks

João Cardoso

unread,

Jun 26, 2016, 1:07:35 PM6/26/16

to Alt-F

On Sunday, 26 June 2016 16:50:08 UTC+1, snable snable wrote:

[root@datenspeicher]# ipkg install pycrypto
Installing pycrypto (2.6.1) to /Alt-F...
Downloading http://sourceforge.net/projects/alt-f/files/pkgs/unstable/pycrypto_2.6.1_arm.ipk
Configuring pycrypto
Configuring python
Downloading pip...
--2016-06-26 17:48:21-- https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io... 185.31.17.175
Connecting to bootstrap.pypa.io|185.31.17.175|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1524722 (1.5M) [text/x-python]
Saving to: '/tmp/get-pip.py.1'

0K ........ ........ ....... 100% 2.04M=0.7s

2016-06-26 17:48:22 (2.04 MB/s) - '/tmp/get-pip.py.1' saved [1524722/1524722]

Installing pip, please wait... python: can't resolve symbol 'SSLv2_method'

I can't reproduce that. Have you update all packages?

RC5 is built with openssl-1.0.2g, which by default disables sslv2 and sslv3, as they are considered insecure. The same happens with openssh-7.1p2.

I knew that those changes could cause incompatibilities with some clients and user setups, and considered enabling those sslv2/v3 cyphers, but decided to keep the defaults... bad move?

My install:

[root@DNS-323]# ipkg install pycrypto

Installing pycrypto (2.6.1) to /Alt-F...

Downloading http://silver/~jcard/pkgs/pycrypto_2.6.1_arm.ipk
Installing python (2.7.2-4) to /Alt-F...
Downloading http://silver/~jcard/pkgs/python_2.7.2-4_arm.ipk
Installing db (4.8.30-3) to /Alt-F...
Downloading http://silver/~jcard/pkgs/db_4.8.30-3_arm.ipk
Installing gdbm (1.8.3-4) to /Alt-F...
Downloading http://silver/~jcard/pkgs/gdbm_1.8.3-4_arm.ipk
Installing bzip2 (1.0.6) to /Alt-F...
Downloading http://silver/~jcard/pkgs/bzip2_1.0.6_arm.ipk
Configuring bzip2
Configuring db
Configuring gdbm

Configuring pycrypto
Configuring python
Downloading pip...

--2016-06-26 18:00:45-- https://bootstrap.pypa.io/get-pip.py
Resolving bootstrap.pypa.io... 185.31.19.175
Connecting to bootstrap.pypa.io|185.31.19.175|:443... connected.

HTTP request sent, awaiting response... 200 OK
Length: 1524722 (1.5M) [text/x-python]

Saving to: '/tmp/get-pip.py'

0K ........ ........ ....... 100% 1.08M=1.3s

2016-06-26 18:00:47 (1.08 MB/s) - '/tmp/get-pip.py' saved [1524722/1524722]

Installing pip, please wait... Collecting pip
/tmp/tmpZ_b4qU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:318: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
/tmp/tmpZ_b4qU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
Downloading pip-8.1.2-py2.py3-none-any.whl (1.2MB)
100% |################################| 1.2MB 17kB/s
Collecting setuptools
Downloading setuptools-23.1.0-py2.py3-none-any.whl (435kB)
100% |################################| 440kB 80kB/s
Collecting wheel
Downloading wheel-0.29.0-py2.py3-none-any.whl (66kB)
100% |################################| 71kB 253kB/s
Installing collected packages: pip, setuptools, wheel
Successfully installed pip-8.1.2 setuptools-23.1.0 wheel-0.29.0
/tmp/tmpZ_b4qU/pip.zip/pip/_vendor/requests/packages/urllib3/util/ssl_.py:122: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. You can upgrade to a newer version of Python to solve this. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
Successfully terminated.

snable snable

unread,

Jun 26, 2016, 1:36:30 PM6/26/16

to al...@googlegroups.com

h

i made a factory reset and reflash from scratch

i get the same error when i try to install sabnzbd.

fails with the openssl module error

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.
To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/alt-f.
For more options, visit https://groups.google.com/d/optout.

João Cardoso

unread,

Jun 26, 2016, 5:10:26 PM6/26/16

to Alt-F

On Sunday, 26 June 2016 18:36:30 UTC+1, snable snable wrote:

h
i made a factory reset and reflash from scratch

This has nothing to do with firmware flash.

There are two kinds of packages, "pre-installed" packages are shipped on the firmware and stored on flash memory, and "disk-installable" packages.

Some of the ones that you deliberately installed on disk depends on the ones shipped with the firmware; so when the firmware is upgraded the ones installed on disk should also be upgraded.

Technically: the firmware has new libraries, so binaries need to be recompiled to use the new libraries, and thus a new package is released. Old binaries requires the olde libraries, that don't exists anymore after the firmware is upgraded.

python, php, etc are *disk* installable packages, they have to be upgraded, use the webUI, Packages->Alt-F, and you will see the ones to be upgraded. Hit the "upgrade all" button. Or use 'ipkg update' followed by 'ipkg upgrade' from the command line.

i get the same error when i try to install sabnzbd.

That I can reproduce:

Starting SABnzbd.py: /usr/bin/python: can't resolve symbol 'SSLv2_method'

Looks like python needs relinking, at least... not today. Please fill in a bug report at sourceforge.

Thanks

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+unsubscribe@googlegroups.com.

snable snable

unread,

Jun 26, 2016, 5:11:47 PM6/26/16

to al...@googlegroups.com

hey joao

yes i will. i upgraded all. even reinstalled from scratch.

thanks

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.

Visit this group at https://groups.google.com/group/alt-f.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Alt-F" group.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.

João Cardoso

unread,

Jul 4, 2016, 12:52:29 PM7/4/16

to Alt-F

I have updated pyopenssl and python, hope that it fix the issues.

On a clean install pyload, sabnzbd and sickbeard installed and its web interface displays OK.

Notice that removing packages only removes the files that were installed, not the ones created by the programs.

So, removing packages is not enough to guarantee that no stray files will be left behind and influence the newly re-installed package.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/alt-f.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+unsubscribe@googlegroups.com.

Paulo Elifaz Andrielli

unread,

Jul 4, 2016, 4:37:37 PM7/4/16

to al...@googlegroups.com

Related to the pyopenssl and python be the issue that I might have with Transmission in another thread.... do I need to upgrade the firmware again, or just update the packsge, once you updated them?

[]´s

Paulo

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.

Visit this group at https://groups.google.com/group/alt-f.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.

Visit this group at https://groups.google.com/group/alt-f.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+un...@googlegroups.com.

Paulo Elifaz Andrielli

unread,

Jul 4, 2016, 4:39:03 PM7/4/16

to al...@googlegroups.com

Nevermind, just saw that rebooting the NAS, python appears with an update button.... ;-)

[]´s

Paulo

João Cardoso

unread,

Jul 5, 2016, 10:50:18 AM7/5/16

to Alt-F

On Monday, 4 July 2016 21:39:03 UTC+1, Paulo Elifaz Andrielli wrote:

Nevermind, just saw that rebooting the NAS, python appears with an update button.... ;-)

You don't need to reboot for that, just hit the "UpdatePackageList" button in the "Package Feed" section.

[]´s
Paulo

2016-07-04 17:37 GMT-03:00 Paulo Elifaz Andrielli :
Related to the pyopenssl and python be the issue that I might have with Transmission in another thread.... do I need to upgrade the firmware again,

NO. reflashing the firmware only affects the flash memory, that is read-only.

Reflashing does not affect the disk-installed packages, and it does not solve anything.

Rebooting is mostly only needed if upgrading kernel modules.

or just update the packsge, once you updated them?

In principle, updating the packages is enough, as the updating first stops the relevant service (so it is a kind of reboot for a service).

Updating packages that contains only libraries that might be used by several services is more problematic.

To stop using the libraries that are going to be updated it is necessary to stop the services that are using the library, and a library can be being used by several services simultaneously.

E.g., libevent2 might be used by forked-daapd, netatalk and transmission, so the proper way to update it would be to stop all those services first. But the library package scripts don't know which services are using it, so that can't be done automatically.

This is an old flaw on Alt-F (that don't exists on most other linux systems, where a library can be updated while it is being used).

[]´s
Paulo

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/alt-f.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+unsubscribe@googlegroups.com.

Visit this group at https://groups.google.com/group/alt-f.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Alt-F" group.

To unsubscribe from this group and stop receiving emails from it, send an email to alt-f+unsubscribe@googlegroups.com.

li...@doreydesigns.com

unread,

Sep 7, 2016, 4:03:59 PM9/7/16

to Alt-F

Not sure if it's related or not, but I just finally got a google drive client up and running after what turned out to be issues with how openssl was setup, I couldn't get either rclone or drive to authenticate properly due to some very nice vague errors. The openssl.cnf was setup to use odd directories it looks like. Likely I did more than I needed and likely a quick fix to the openssl.conf might do the trick....not really my area of expertise... and now that I have it working I'm loath to experiment much....

I had to pretty much nuke the files in /etc/ssl, bring in a new ca-bundle.crt and a new openssl.cnf

I used this tutorial pretty much after deleting all the existing certs...

http://www.flatmtn.com/article/setting-openssl-create-certificates, then copied the ca-bundle.crt from mozzilla into the /etc/ssl/certs directory, then I used the alt-F web interface to create new certificates, which got the https connection working again with the expected bitching about the new cert, and Oauth2 with google drive is now working for me.