Python SSL breaks app

[rmoo...@gmx.net]

Dear all,

We have been struggling with our Apache with mod-wsgi for a while now and we finally managed to break the problem down to a minimum. We try to run a Dash application that uses datashader, but it kept on crashing. The following minimal example works fine on our server.

myDashApp.py

from flask import Flask
import dash
import dash_core_components as dcc
import dash_html_components as html

server = Flask('app')
app = dash.Dash('app', server=server)

colors = {
    'background': '#111111',
    'text': '#7FDBFF'
}
app.layout = html.Div(style={'backgroundColor': colors['background']}, children=[
    html.H1(
        children='Hello Dash',
        style={
            'textAlign': 'center',
            'color': colors['text']
        }
    ),
    html.Div(children='Dash: A web application framework for Python.', style={
        'textAlign': 'center',
        'color': colors['text']
    }),
    dcc.Graph(
        id='Graph1',
        figure={
            'data': [
                {'x': [1, 2, 3], 'y': [4, 1, 2], 'type': 'bar', 'name': 'SF'},
                {'x': [1, 2, 3], 'y': [2, 4, 5], 'type': 'bar', 'name': u'Montréal'},
            ],
            'layout': {
                'plot_bgcolor': colors['background'],
                'paper_bgcolor': colors['background'],
                'font': {
                    'color': colors['text']
                }
            }
        }
    )
])

if __name__ == '__main__':
    app.run_server()

(I copied that example from somewhere, but unfortunately forgot from where)

wsgi.py

sys.path.insert(0, "/data/website/myApp")

from myDashApp import server as application

/etc/apache2/sites-enabled/default-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                ServerName example.com
                ServerAdmin m...@example.com

                # Flask application
                WSGIProcessGroup myApp
                WSGIApplicationGroup %{GLOBAL}

                WSGIScriptAlias / /data/website/myApp/wsgi.py
                WSGIDaemonProcess myApp python-home=/usr/share/miniconda3/envs/my_env_36 \
                                        threads=1 \
                                        processes=4 \
                                        display-name=%{GROUP} \
                                        lang='en_US.UTF-8' \
                                        locale='en_US.UTF-8' \
                                        queue-timeout=45 \
                                        socket-timeout=60 \
                                        connect-timeout=15 \
                                        request-timeout=60 \
                                        inactivity-timeout=0 \
                                        startup-timeout=15 \
                                        deadlock-timeout=60 \
                                        graceful-timeout=15 \
                                        eviction-timeout=0 \
                                        restart-interval=0 \
                                        shutdown-timeout=5 \
                                        maximum-requests=0

                <Directory "/data/website/myApp/>
                  AllowOverride all
                  AuthType Basic
                  AuthUserFile /data/passwords/passwords.pwd
                  AuthName "myDemoApp"
                  <RequireAll>
                   Require valid-user
                  </RequireAll>
                </Directory>

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile      /etc/apache2/cert/host_name.crt.pem
                SSLCertificateKeyFile /etc/apache2/cert/host_name.key

                SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                SSLHonorCipherOrder     on

                SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

                Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

        </VirtualHost>
</IfModule>

Now, we can add the following lines to our myDashApp.py:

import ssl
foo = ssl.SSLContext()

Once we do that, we get the following error in the apache error log:

[Tue Mar 31 06:25:02.092936 2020] [core:notice] [pid 28668] AH00094: Command line: '/usr/sbin/apache2'
[Tue Mar 31 09:31:37.336007 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576] mod_wsgi (pid=30411): Failed to exec Python script file '/data/website/myApp/wsgi.py'.
[Tue Mar 31 09:31:37.336081 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576] mod_wsgi (pid=30411): Exception occurred processing WSGI script '/data/website/myApp/wsgi.py'.
[Tue Mar 31 09:31:37.337969 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576] Traceback (most recent call last):
[Tue Mar 31 09:31:37.338011 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576]   File "/data/website/myApp/wsgi.py", line 5, in <module>
[Tue Mar 31 09:31:37.338016 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576]     from myDashApp import server as application
[Tue Mar 31 09:31:37.338024 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576]   File "/data/website/myApp/myDashApp.py", line 7, in <module>
[Tue Mar 31 09:31:37.338028 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576]     bla = ssl.SSLContext()
[Tue Mar 31 09:31:37.338034 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576]   File "/usr/share/miniconda3/envs/my_env_36/lib/python3.6/ssl.py", line 391, in __new__
[Tue Mar 31 09:31:37.338038 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576]     self = _SSLContext.__new__(cls, protocol)
[Tue Mar 31 09:31:37.338059 2020] [wsgi:error] [pid 30411] [remote 172.27.1.200:55576] ssl.SSLError: ('No cipher can be selected.',)
[Tue Mar 31 09:31:38.189212 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575] mod_wsgi (pid=30409): Failed to exec Python script file '/data/website/myApp/wsgi.py'.
[Tue Mar 31 09:31:38.189269 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575] mod_wsgi (pid=30409): Exception occurred processing WSGI script '/data/website/myApp/wsgi.py'.
[Tue Mar 31 09:31:38.189782 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575] Traceback (most recent call last):
[Tue Mar 31 09:31:38.189810 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575]   File "/data/website/myApp/wsgi.py", line 5, in <module>
[Tue Mar 31 09:31:38.189813 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575]     from myDashApp import server as application
[Tue Mar 31 09:31:38.189818 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575]   File "/data/website/myApp/myDashApp.py", line 7, in <module>
[Tue Mar 31 09:31:38.189821 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575]     bla = ssl.SSLContext()
[Tue Mar 31 09:31:38.189825 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575]   File "/usr/share/miniconda3/envs/my_env_36/lib/python3.6/ssl.py", line 391, in __new__
[Tue Mar 31 09:31:38.189828 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575]     self = _SSLContext.__new__(cls, protocol)
[Tue Mar 31 09:31:38.189842 2020] [wsgi:error] [pid 30409] [remote 172.27.1.200:55575] ssl.SSLError: ('No cipher can be selected.',)

Did anybody encounter a similar problem or does anybody have an idea on how to fix that?

Just for a bit of context, we don't want to use SSL in our application, but somehow datashader uses it for something and our goal is to get datashader to work.

Thanks,

Raphael

[Graham Dumpleton]

It is a known problem with Anaconda Python that you cannot use it embedded in other applications, where the application embedding it links with SSL and crypto libraries. In other words, you cannot use mod_ssl in Apache if you are going to use Anaconda Python.

This problem is caused by Anaconda Python, due to it bundling its own versions of SSL and crypto libraries that are often incompatible with the system versions of those libraries that Apache is linked against. When they are incompatible you can get obscure errors of the processes can crash.

Consider using mod_wsgi-express instead, and have the front end Apache which handles SSL termination using mod_ssl, proxy to the mod_wsgi-express instance. There isn't really any other solution, except for not using Anaconda Python.

Graham

--
You received this message because you are subscribed to the Google Groups "modwsgi" group.
To unsubscribe from this group and stop receiving emails from it, send an email to modwsgi+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/modwsgi/f3044394-eff1-4df3-8238-d9caeed3dcc0%40googlegroups.com.

[rmoo...@gmx.net]

Dear Graham

Thank you for the super fast response and the useful tips! We'll try to get it to work with mod_wsgi-express instead.

Graham

To unsubscribe from this group and stop receiving emails from it, send an email to mod...@googlegroups.com.