openssl: ssl.SSLError: [SSL] malloc failure - with openssl=1.1.1d (ppc64le)
I originally commented in this conda issue: https://github.com/ContinuumIO/anaconda-issues/issues/11274, but after a little debug I decided to report the issue here as well.
Currently to reproduce the error I have been using a default conda environment with python 3.6 or 3.7 installed:
conda create -y -n my-test-env python=3.6
then running the following command
python -c 'import urllib.request; urllib.request.urlopen("https://pypi.org")'
which produces the following error:
(my-test-env) [builder@b98996cfec6a ~]$ python -c 'import urllib.request; urllib.request.urlopen("https://pypi.org")'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/urllib/request.py", line 223, in urlopen
return opener.open(url, data, timeout)
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/urllib/request.py", line 526, in open
response = self._open(req, data)
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/urllib/request.py", line 544, in _open
'_open', req)
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/urllib/request.py", line 504, in _call_chain
result = func(*args)
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/urllib/request.py", line 1361, in https_open
context=self._context, check_hostname=self._check_hostname)
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/urllib/request.py", line 1286, in do_open
h = http_class(host, timeout=req.timeout, **http_conn_args)
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/http/client.py", line 1392, in __init__
context = ssl._create_default_https_context()
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/ssl.py", line 502, in create_default_context
context = SSLContext(PROTOCOL_TLS)
File "/opt/anaconda3/envs/my-test-env/lib/python3.6/ssl.py", line 391, in __new__
self = _SSLContext.__new__(cls, protocol)
ssl.SSLError: [SSL] malloc failure (_ssl.c:2805)
at this point, I don’t have a test case without conda or python, but would be willing to write/test any suggested code to isolate the issue in ppc64le env.
I did poke around a little in the openssl code, using git bisect I narrowed it down to commit openssl/openssl@3ff98f5 as causing the problem, see openssl/openssl#9595 for details on the commit. I disabled the change by setting -DOPENSSL_RAND_SEED_DEVRANDOM_SHM_ID=-1 as suggested in the PR and was able to run the previously failing test successfully.
I made the following change in build.sh:
diff --git a/recipe/build.sh b/recipe/build.sh
index a6cb10d..2155c45 100644
--- a/recipe/build.sh
+++ b/recipe/build.sh
@@ -29,7 +29,7 @@ if [[ ${_BASE_CC} == *-* ]]; then
;;
*powerpc64le-*linux*)
_CONFIG_OPTS+=(linux-ppc64le)
- CFLAGS="${CFLAGS} -Wa,--noexecstack"
+ CFLAGS="${CFLAGS} -Wa,--noexecstack -DOPENSSL_RAND_SEED_DEVRANDOM_SHM_ID=-1"
;;
*darwin*)
I don’t think I have enough context regarding the change to figure out the root cause.
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 2
- Comments: 23 (17 by maintainers)
Commits related to this issue
- Add defines for __NR_getrandom for all Linux architectures Fixes: #10015 — committed to kroeckx/openssl by kroeckx 5 years ago
- Add defines for __NR_getrandom for all Linux architectures Fixes: #10015 Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> GH: #10044 (cherry picked from commit 4dcb150ea30f9bbfa7946e6b39c30a8... — committed to openssl/openssl by kroeckx 5 years ago
- deps: openssl: cherry-pick 4dcb150ea30f OpenSSL 1.1.1d does not ship with getrandom syscall being predefined on all architectures. So when NodeJS is run with glibc prior to 2.25, where getentropy is ... — committed to nodejs/node by AdamMajer 4 years ago
- deps: openssl: cherry-pick 4dcb150ea30f OpenSSL 1.1.1d does not ship with getrandom syscall being predefined on all architectures. So when NodeJS is run with glibc prior to 2.25, where getentropy is ... — committed to nodejs/node by AdamMajer 4 years ago
- deps: openssl: cherry-pick 4dcb150ea30f OpenSSL 1.1.1d does not ship with getrandom syscall being predefined on all architectures. So when NodeJS is run with glibc prior to 2.25, where getentropy is ... — committed to nodejs/node by AdamMajer 4 years ago
- deps: openssl: cherry-pick 4dcb150ea30f OpenSSL 1.1.1d does not ship with getrandom syscall being predefined on all architectures. So when NodeJS is run with glibc prior to 2.25, where getentropy is ... — committed to nodejs/node by AdamMajer 4 years ago
- deps: openssl: cherry-pick 4dcb150ea30f OpenSSL 1.1.1d does not ship with getrandom syscall being predefined on all architectures. So when NodeJS is run with glibc prior to 2.25, where getentropy is ... — committed to nodejs/node by AdamMajer 4 years ago
- deps: openssl: cherry-pick 4dcb150ea30f OpenSSL 1.1.1d does not ship with getrandom syscall being predefined on all architectures. So when NodeJS is run with glibc prior to 2.25, where getentropy is ... — committed to nodejs/node by AdamMajer 4 years ago
- Merged upstream tag 1.1.1f (#167) * crypto/threads_win.c: fix preprocessor indentation Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/9860) ... — committed to open-quantum-safe/openssl by christianpaquin 4 years ago
- Only use hybrid level 1 KEMs in default curves list (#163) * Only use hbyrid level 1 KEMs in default curves list * Pass KEM to server in TLS connection test * re-enable check-in connection test... — committed to open-quantum-safe/openssl by dstebila 4 years ago
I don’t think option 3 is something a library should do.