cherrypy: error: [Errno 0] Error

On Debian 9, with OpenSSL 1.1.0f 25 May 2017 CherryPy will thrown this (non-fatal) error on startup when using the 'server.ssl_module': 'builtin'. It does not happen when using 'server.ssl_module': 'pyopenssl'.

This is not just on our older CherryPy, but also on the latest CherryPy version 11 and both on Python 2.7 and Python 3.5.

We have been chasing this error for a while and first assumed it was a bug in Python. I was ready to report it to Python bug-tracker, but I cannot reproduce it using pure-python. So it really is something specific to what CherryPy does.

Code:

import cherrypy
print(cherrypy.__version__)

class RootServer:
    @cherrypy.expose
    def index(self, **keywords):
        return "it works!"

if __name__ == '__main__':
    server_config={
        'server.socket_host': '0.0.0.0',
        'server.socket_port': 9090,
        'server.ssl_module': 'builtin',
        #'server.ssl_module':'pyopenssl',
        'server.ssl_certificate':'/root/.sabnzbd/admin/server.cert',
        'server.ssl_private_key':'/root/.sabnzbd/admin/server.key'
    }

    cherrypy.config.update(server_config)
    cherrypy.quickstart(RootServer())

Error thrown by Python 2.7 and 3.5:

11.0.0
[11/Aug/2017:13:23:57] ENGINE Listening for SIGHUP.
[11/Aug/2017:13:23:57] ENGINE Listening for SIGTERM.
[11/Aug/2017:13:23:57] ENGINE Listening for SIGUSR1.
[11/Aug/2017:13:23:57] ENGINE Bus STARTING
CherryPy Checker:
The Application mounted at '' has an empty config.

[11/Aug/2017:13:23:57] ENGINE Started monitor thread '_TimeoutMonitor'.
[11/Aug/2017:13:23:57] ENGINE Started monitor thread 'Autoreloader'.
[11/Aug/2017:13:23:57] ENGINE Serving on https://0.0.0.0:9090
[11/Aug/2017:13:23:57] ENGINE Bus STARTED
[11/Aug/2017:13:23:57] ENGINE Error in HTTPServer.tick
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/cheroot/server.py", line 1515, in start
    self.tick()
  File "/usr/local/lib/python2.7/dist-packages/cheroot/server.py", line 1590, in tick
    s, ssl_env = self.ssl_adapter.wrap(s)
  File "/usr/local/lib/python2.7/dist-packages/cheroot/ssl/builtin.py", line 73, in wrap
    server_side=True)
  File "/usr/lib/python2.7/ssl.py", line 363, in wrap_socket
    _context=self)
  File "/usr/lib/python2.7/ssl.py", line 611, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 840, in do_handshake
    self._sslobj.do_handshake()
error: [Errno 0] Error

Pure-python code version trying to reproduce all steps cherrypy performs, that does not thrown the error:

import socket, ssl
import fcntl

print "Start"
context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
context.load_cert_chain(certfile="/root/.sabnzbd/admin/server.cert", keyfile="/root/.sabnzbd/admin/server.key")

bindsocket = socket.socket()
bindsocket.bind(('0.0.0.0', 9090))
bindsocket.listen(5)

while True:
    newsocket, fromaddr = bindsocket.accept()

    fd = newsocket.fileno()
    old_flags = fcntl.fcntl(fd, fcntl.F_GETFD)
    fcntl.fcntl(fd, fcntl.F_SETFD, old_flags | fcntl.FD_CLOEXEC)

    sslsoc = context.wrap_socket(newsocket, do_handshake_on_connect=True, server_side=True)
    request = sslsoc.read()
    print(request)
    print(sslsoc.cipher())
print "Done"

@sanderjo also created a guide to setting-up a docker to with Debian to test this: https://github.com/sabnzbd/sabnzbd/issues/1000 For non-docker-people like me, this command can be used to copy files into the docker:

sudo docker cp test.py DOCKER-ID:/test.py