Failure with Amazon backend: SSL errors

Question

Failure with Amazon backend: SSL errors

dstndstn opened this issue 2 years ago · 1 comments

I submitted PR #712 for this.

Actual behaviour

In a Django app that uses Amazon OAuth2 for signins, I get:

AuthFailed at /complete/amazon/

Authentication failed: HTTPSConnectionPool(host='api.amazon.com', port=443): Max retries exceeded with url: /auth/o2/token (Caused by SSLError(SSLError(1, '[SSL] internal error (_ssl.c:1131)')))

The full django complaint is pretty gnarly:

Environment:


Request Method: GET
Request URL: https://nova.astrometry.net/complete/amazon/?code=ANdUShpXYKiIMNBCVRzD&scope=profile&state=51uMMnE6D5JA5EsMSSyo2hhNaEoPjfjq

Django Version: 4.0.1
Python Version: 3.8.10
Installed Applications:
('django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.sites',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'astrometry.net.app.AstrometryNetConfig',
 'social_django')
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'astrometry.net.tempfile_middleware.TempfileMiddleware']



Traceback (most recent call last):
  File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.8/dist-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/local/lib/python3.8/dist-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/usr/local/lib/python3.8/dist-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()

During handling of the above exception ([SSL] internal error (_ssl.c:1131)), another exception occurred:
  File "/home/nova/.local/lib/python3.8/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.8/dist-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))

During handling of the above exception (HTTPSConnectionPool(host='api.amazon.com', port=443): Max retries exceeded with url: /auth/o2/token (Caused by SSLError(SSLError(1, '[SSL] internal error (_ssl.c:1131)')))), another exception occurred:
  File "/usr/local/lib/python3.8/dist-packages/social_core/backends/base.py", line 233, in request
    response = session.request(method, url, *args, **kwargs)
  File "/home/nova/.local/lib/python3.8/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/home/nova/.local/lib/python3.8/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/home/nova/.local/lib/python3.8/site-packages/requests/adapters.py", line 563, in send
    raise SSLError(e, request=request)

During handling of the above exception (HTTPSConnectionPool(host='api.amazon.com', port=443): Max retries exceeded with url: /auth/o2/token (Caused by SSLError(SSLError(1, '[SSL] internal error (_ssl.c:1131)')))), another exception occurred:
  File "/usr/local/lib/python3.8/dist-packages/django/core/handlers/exception.py", line 47, in inner
    response = get_response(request)
  File "/usr/local/lib/python3.8/dist-packages/django/core/handlers/base.py", line 181, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/usr/local/lib/python3.8/dist-packages/django/views/decorators/cache.py", line 57, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/social_django/utils.py", line 46, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/social_django/views.py", line 31, in complete
    return do_complete(request.backend, _do_login, user=request.user,
  File "/usr/local/lib/python3.8/dist-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/social_core/backends/oauth.py", line 392, in auth_complete
    response = self.request_access_token(
  File "/usr/local/lib/python3.8/dist-packages/social_core/backends/oauth.py", line 370, in request_access_token
    return self.get_json(*args, **kwargs)
  File "/usr/local/lib/python3.8/dist-packages/social_core/backends/base.py", line 242, in get_json
    return self.request(url, *args, **kwargs).json()
  File "/usr/local/lib/python3.8/dist-packages/social_core/backends/base.py", line 237, in request
    raise AuthFailed(self, str(err))

Exception Type: AuthFailed at /complete/amazon/
Exception Value: Authentication failed: HTTPSConnectionPool(host='api.amazon.com', port=443): Max retries exceeded with url: /auth/o2/token (Caused by SSLError(SSLError(1, '[SSL] internal error (_ssl.c:1131)')))

Answer 1 · 2022-09-23T20:30:00.000Z

In my digging, I found that the Amazon backend sets the SSL protocol:

SSL_PROTOCOL = ssl.PROTOCOL_TLSv1

https://github.com/python-social-auth/social-core/blob/master/social_core/backends/amazon.py#L18

which, according to the SSL manual page
(https://docs.python.org/3.8/library/ssl.html?highlight=ssl#ssl.PROTOCOL_TLSv1)
demands TLS v1.0.

According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security#TLS_1.0) TLS 1.0 is deprecated.

The python ssl manual page suggests switching to just ssl.PROTOCOL_TLS, which selects the highest protocol version supported by both client and server.