oscrypto
oscrypto copied to clipboard
wbond
Openssl version not detected in current oscrypto version (pypi)
Hi,
first of all thank you for your work!
We are currently encountering the Error:
oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
See: https://github.com/mpgn/CrackMapExec/issues/108
I saw you already fixed that in d5f3437ed24257895ae1edd9e503cfb352e635a8, but as this is not released to pypi our Tool does not fully work. Would it be possible to release a bug-fix version to pypi?
Having a bugfix release would be much appreciated we are seeing this issue on AWS Ubuntu AMIs after issuing system updates, I can imagine that there are a few less than happy AI developers out there struggling to work their way back to this issue.
We are seeing the same issue too. The OpenSSL version we are using happens to be 3.0.10. Would really appreciate it to have a new release. Thanks!
The same OpenSSL 3.0.10 1 Aug 2023 doesn't match to regex \b(\d\.\d\.\d[a-z]*)\b in _openssl/_libcrypto_cffi.py.
Last \d should be \d+ or at least \d\d? I guess.
+1 for a new release, this is a dependency of snowflake-connector-python, so I imagine many folks are impacted and pinning their OpenSSL version. Thanks for your time and care, we appreciate it!
The same
OpenSSL 3.0.10 1 Aug 2023doesn't match to regex\b(\d\.\d\.\d[a-z]*)\bin_openssl/_libcrypto_cffi.py. Last\dshould be\d+or at least\d\d?I guess.
I manually edited the file and changed the last \d in regex to \d+ and it worked. Note that this is a temp solution. We need to upgrade the package when a new release is available.
It looks like the fix is merged. When will this be released? @wbond ?
https://github.com/wbond/oscrypto/pull/76
No, this is a free-time project for me. The commit is there, so it is certainly possible to use most Python packaging tools to grab the sha of the commit.
For those too impatient, like myself... in my pyproject.toml I added in:
[tool.poetry.dependencies]
oscrypto = { git = "https://github.com/wbond/oscrypto.git", rev = "1547f53" }
And now we're all systems go. Thanks for taking the time to create this @wbond !
No, this is a free-time project for me. The commit is there, so it is certainly possible to use most Python packaging tools to grab the sha of the commit.
Thanks for the quick response, and appreciate the work you put into the package @wbond !
@connor-lough For projects that don't use pyproject.toml, is there a way you can do this via the requirements.txt file?
@connor-lough For projects that don't use pyproject.toml, is there a way you can do this via the requirements.txt file?
This is the line I added to my requirements.txt:
git+https://github.com/wbond/oscrypto.git@d5f3437
which replaced this line:
oscrypto==1.2.1
I also had to add "git" to my Dockerfile, because I was not installing git before:
apt-get install -y git
We are facing the same issue. Using oscrypto==1.3.0 and snowflake-connector-python==2.8.1 .
Is it possible to still face the issue despite we have hard set the versions in the requirements.txt?
@vermavikrant Yes, the problem is due to a conflict with the ocrypto library and the openssl program version 3.0.>=10 on your machine. snowflake-connector-python just happens to use the ocrypto library. The way to solve this problem is by either:
- Change the openssl version - on your machine use another version such as
1.1.1. Run$openssl versionto verify which version of openssl you are using.
Or
- upgrading your
ocryptolibrary - by pointing to the commit that includes the bug fix as mentioned above, until the patch is released.
I've spent most of the day updating our internal applications that use snowflake-connector. My fixes follow along the lines of what has been suggested, above.
If you're using Docker to build your app, you can include a pip install of the ocscrypo package prior to snowflake-connector, and it'll assume the dependency has already been met:
RUN pip install git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3
If you need to embed it into a requirements.txt file, you can add the following line:
git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3
If installing via setuptools.setup, then the following line should work
"oscrypto @ git+https://github.com/wbond/oscrypto.git@d5f3437"
I also had to install git into Dockerfile and Jenkinsfile, as stated above.
apt-get update && apt-get install -y git
@mwisconsin wondering why your commit hash is different? Was the fix not in d5f3437 ?
@vermavikrant I picked the latest just in case the recent commits fixed other problems I might encounter in the upcoming weeks before a release happens.
Installed it directly with
pip install -I git+https://github.com/wbond/oscrypto.git
I believe the version should be updated
@wbond really appreciate the great work you've put into this library. Could you please push a new version to PyPI so we don't need to hack it using https://github.com/wbond/oscrypto/issues/78#issuecomment-1755515697?
The reason I haven’t pushed a new release is that I’m planning a new release of asn1crypto also and this library depends on that, so I’d like to do both releases at the same time.
That release it blocked on two things:
- A test for a regression someone added, where I don’t have any real world certificate to test with and the structure is rather complex to code myself
- Deciding if the next version of asn1crypto will be a major version, which will affect if the next release of oscrypto will be a bug fix or minor version
This is the sort of bug that should have resulted in a cherry-picked bugfix release months ago when it was discovered. This kind of fix shouldn't wait on features. Everything that depends on oscrypto is actively broken once a user upgrades openssl.
Considering none of you support any of the work I do for free out of my own good will, but apparently depend on it for your job/business/product, you literally are entitled to nothing.
Complaining at me about how I spend my free time, or how I decide to prioritize my open source work will not result in me neglecting the other parts of my life for your sake.
I guess I just used up my open source energy for the day. Back to work!
I read through literally every comment here and saw zero complaining about how you spend your free time or how you prioritize your open source work. I see lots of thanks and one comment (my own) suggesting a better way to handle this kind of bug in the future. Even if you (IMO incorrectly) think this is users being ungrateful, just compare the amount of time you're likely to deal with comments and issues about this to the time a bugfix release would have taken. Just to prove I'm not ungrateful for your work, I just sent you $20. (Big spender, I know.)
@squarooticus It was you telling me that I should have cut a release instead of worry about features. In fact the dependency I spoke of is not a feature but a regression.
I appreciate your token of goodwill. I am hoping to have this sorted soon.
python:3.9-slim docker image was just updated a few hours ago. and is using an incompatible openssl version as well:
OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
We encountered this today in Dagster Cloud and developed a workaround. We needed to install git on the system to use the git hash in setup.py.
To install git, we needed to add a dagster_cloud_pre_install.sh (don't forget chmod u+x), the contents of which are apt update -yqq && apt install -y git.
And then include the oscrypto hash mentioned upthread, in setup.py's install_requires:
"oscrypto @ git+https://github.com/wbond/oscrypto.git@1547f535001ba568b239b8797465536759c742a3",
The original error was oscrypto.errors.LibraryNotFoundError: Error detecting the version of libcrypto
