Python SSL wrap_socket failed with SSLError, Errno 336265218

Question

I have simple client/server SSL code which worked fine on Python 3.2. However, I decided to switch over to 2.7 (due to abundance of third party modules), and now the code is failing. The code is as follows:

Client:

def connect(self):
    self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    self.sock.connect(('localhost', 4430))
    self.ssl_sock = ssl.wrap_socket(self.sock, cert_reqs = ssl.CERT_NONE, ssl_version = ssl.PROTOCOL_TLSv1)

Server:

self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    self.sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
    self.sock.bind((self.hostname, 4430))
    self.sock.listen(5)
    while True:
        self.newsocket, self.fromaddr = self.sock.accept()
        self.ssl_sock = ssl.wrap_socket(
                            self.newsocket, 
                            server_side = True,
                            certfile = "cert.pem",
                            ssl_version=ssl.PROTOCOL_TLSv1
        ) 

        self._handle_client(self.ssl_sock)

The cert.pem (located in same directory as server .py file):

-----BEGIN RSA PRIVATE KEY-----
(812 "random" characters here)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(1260 "random" characters here)
-----END CERTIFICATE-----

The failure is as follows:
1. server waits on self.sock.accept()
2. client connects with self.sock.connect()
3. server proceeds to wrap_socket, which fails with the following error:

Traceback (most recent call last):
  File "C:\Program Files\Python27\lib\multiprocessing\process.py", line 258, in _bootstrap
    self.run()
  File "C:\workspace\projectc\server\server\clientlistener.py", line 49, in run
    ssl_version=ssl.PROTOCOL_TLSv1
  File "C:\Program Files\Python27\lib\ssl.py", line 381, in wrap_socket
    ciphers=ciphers)
  File "C:\Program Files\Python27\lib\ssl.py", line 141, in __init__
    ciphers)
SSLError: [Errno 336265218] _ssl.c:351: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib

P.S.
1) I have suspicions about the wrap_socket call because even when I use a non-existent file for certfile, the same error results.
2) I tried the alternative wrapping on the python documentation on ssl (i.e. with ssl.SSLContext) and it's odd that 'module' object has no attribute 'SSLContext', when it is part of the ssl module. This wasn't an issue when I tried it with Python 3.2.

Update:
I have found that the problem only occurs when I'm doing "run" from within Eclipse, not so when I run both files from separate command prompts. Still investigating the issue...

Update 2: I tried a very simple client/server script with the SAME code and it works. Now, with the server code sitting inside a multiprocessing subprocess (launched by the main server process), it seems not to work. Related?

Answer 1

my solution was that when creating my .pem file i set a blank password and assumed it meant no pasword. so the server was still expecting to use a password. i had to manually remove the password.

here is a little how to guide if it helps anyone (also, please note i was coding python for a server side to an iOS app)

NOTE: need to follow directions from apple’s developer website to create certificate first then export the .p12 file, by exporting the embedded private key that is created (in ‘keychain access’), NOT the actual certificate ———————————————————————————————————— ———————————————————————————————————— FOR DEVELOPMENT CERT: After getting the p12 file, it needs to be converted to the PEM format by executing this command from the terminal: $ openssl pkcs12 -clcerts -nokeys -out apns-dev-cert.pem -in apns_dev.p12 $ openssl pkcs12 -nocerts -out apns-dev-key.pem -in apns_dev.p12

If you wish to remove the passphrase execute the following: (NOTE: using a ‘blank’ password when exporting/converting, is still indeed setting a password, hence you should still execute the following if you intend to have no password) $ openssl rsa -in apns-dev-key.pem -out apns-dev-key-noenc.pem

Finally, you need to combine the key and cert files into a apns-dev.pem file we will use when connecting to APNS:

$ cat apns-dev-cert.pem apns-dev-key-noenc.pem > apns-dev.pem

———————————————————————————————————— FOR PRODUCTION CERT: After getting the p12 file, it needs to be converted to the PEM format by executing this command from the terminal: $ openssl pkcs12 -clcerts -nokeys -out apns-prod-cert.pem -in apns_prod.p12 $ openssl pkcs12 -nocerts -out apns-prod-key.pem -in apns_prod.p12

If you wish to remove the passphrase execute the following: (NOTE: using a ‘blank’ password when exporting/converting, is still indeed setting a password, hence you should still execute the following if you intend to have no password) $ openssl rsa -in apns-prod-key.pem -out apns-prod-key-noenc.pem

Finally, you need to combine the key and cert files into a apns-dev.pem file we will use when connecting to APNS:

$ cat apns-prod-cert.pem apns-prod-key-noenc.pem > apns-prod.pem

Answer 2

Problem solved. I believe Eclipse was holding some residual information, though I never figured out what information it was holding. It might have to do with the migration from python 3.2 to 2.7, though I previously already changed that in the run config. Resetting the Eclipse environment worked (simply rebooting the computer wasn't enough).