Python 2.7 TLS Broken on GitHub? [solved]

Posted on
Sat Feb 03, 2018 9:29 am
DaveL17 offline
User avatar
Posts: 6742
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Python 2.7 TLS Broken on GitHub? [solved]

I have been using the excellent IndigoPluginUpdateChecker module in my plugins and have not had any issues until now. GitHub is apparently not happy with the urllib2 call under TLS:

Code: Select all
urllib2.URLError: <urlopen error [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)>
  • Tried the requests library in addition to urllib2 with the same result, in addition to running a simple attempt with a short script written from scratch (the page loads just fine in Safari).
  • Tried with both https:// and http://.
  • Running a straight call to the Weather Underground API works as expected.
  • Tried overcoming with Dropbox and Box but neither serve up .html files cleanly.

I wonder if a recent Apple security update might not have something to do with it.... Any suggestions to overcome this limitation until we can do update checking through the Indigo Plugin Store?
Last edited by DaveL17 on Sun Feb 04, 2018 6:39 am, edited 1 time in total.

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Sat Feb 03, 2018 10:22 am
DaveL17 offline
User avatar
Posts: 6742
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: Python 2.7 TLS Broken on GitHub?

Sent you a PM. Thanks for looking into this!

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Sun Feb 04, 2018 6:38 am
DaveL17 offline
User avatar
Posts: 6742
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: Python 2.7 TLS Broken on GitHub?

Thanks to @Ianbrown who suggested I try curl, looks like I have a solution. This is tailored to my situation which uses GitHub to serve the file necessary for the IndigoPluginUpdateChecker() module to do its thing. Note the 'raw' in the URL--this is the path that serves the file without any html formatting or other stuff.

My URL for reaching out to GitHub (goes in plugin.py):
Code: Select all
url = 'https://raw.githubusercontent.com/USERNAME/REPO_NAME/master/FILENAME.html'


The changes I made to Travis' indigoPluginUpdateChecker() module
Code: Select all
import subprocess

# Replace this:
f = urlopen(self.fileUrl)

# With this:
f = subprocess.Popen(["curl", "-k", self.fileUrl], stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False)
out, err = f.communicate()

# and replace this:
lines = f.read().split('\n')

# With This:
lines = out.split('\n')

Could also modify the code to use 'err', but I didn't feel it was needed.
Last edited by DaveL17 on Sun Feb 04, 2018 12:18 pm, edited 1 time in total.

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Sun Feb 04, 2018 9:24 am
kw123 offline
User avatar
Posts: 8333
Joined: May 12, 2013
Location: Dallas, TX

Re: Python 2.7 TLS Broken on GitHub? [solved]

I have the same problem. There is a way to update openssl but it requires to reboot in recovery mode then replace the lib and reboot again. If you have a published plugin that will likely not work for the users. Hence I have switched to curl. Does the trick but you need to understand how to use the security cookies. See the other thread

Karl.


Sent from my iPhone using Tapatalk

Posted on
Sun Feb 04, 2018 12:19 pm
DaveL17 offline
User avatar
Posts: 6742
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: Python 2.7 TLS Broken on GitHub? [solved]

Thanks all. I reread my post above and edited to be more clear. I said it was tailored to my purpose, but that was really only referring to the target URL.

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Sun Feb 04, 2018 12:42 pm
jay (support) offline
Site Admin
User avatar
Posts: 18199
Joined: Mar 19, 2008
Location: Austin, Texas

Re: Python 2.7 TLS Broken on GitHub? [solved]

DaveL17 wrote:
Thanks all. I reread my post above and edited to be more clear. I said it was tailored to my purpose, but that was really only referring to the target URL.


If you are connecting to GitHub to do version checking I'd recommend not wasting your time with other solutions. We'll have an API for checking versions on the plugin store pretty soon.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Sun Feb 04, 2018 5:13 pm
jay (support) offline
Site Admin
User avatar
Posts: 18199
Joined: Mar 19, 2008
Location: Austin, Texas

Re: Python 2.7 TLS Broken on GitHub? [solved]

I hope in the next week or so.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Mon Feb 05, 2018 6:58 am
DaveL17 offline
User avatar
Posts: 6742
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: Python 2.7 TLS Broken on GitHub? [solved]

The solution above seems to be working well. I plan to switch my plugins to the upcoming Indigo Plugin Store version tracking system when it becomes available, but until then, it seems that this will do the trick.

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Tue Feb 20, 2018 5:56 pm
jay (support) offline
Site Admin
User avatar
Posts: 18199
Joined: Mar 19, 2008
Location: Austin, Texas

Re: Python 2.7 TLS Broken on GitHub? [solved]


Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Thu Feb 22, 2018 7:02 pm
GlennNZ offline
User avatar
Posts: 1555
Joined: Dec 07, 2014
Location: Central Coast, Australia

Re: Python 2.7 TLS Broken on GitHub? [solved]

Thanks Dave for the pointers

For those using the ghpu.py update code, the following change to curl works

Changed _Get Def

Code: Select all
   def _GET(self, requestPath):
      self.logger.debug('GET %s' % requestPath)
      headers = {
         'User-Agent': 'Indigo-Plugin-Updater',
         'Accept': 'application/vnd.github.v3+json'
      }
      data = None
      requestPath = 'https://api.github.com'+ requestPath
      #conn = httplib.HTTPSConnection('api.github.com')
      #conn.request('GET', requestPath, None, headers)
      #resp = conn.getresponse()
      f = subprocess.Popen(["curl",  requestPath], stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False)
   #'-H', str(headers), "-k",
      out, err = f.communicate()
      self.logger.debug(u'HTTP Err result:'+unicode(err) )
      self.logger.debug(u'ReturnCode:{0}'.format(unicode(f.returncode)))
      #self.sleep(1)
      if (int(f.returncode) == 0):
         data = json.loads(out)
         self.logger.debug(u'Json results:'+unicode(data))
      elif (400 <= f.status < 500):
         error = json.loads(out)
         self.logger.error('%s' % error['message'])
      else:
         self.logger.error('Error: %s' % unicode(err))

      return data

Posted on
Thu Feb 22, 2018 7:52 pm
DaveL17 offline
User avatar
Posts: 6742
Joined: Aug 20, 2013
Location: Chicago, IL, USA

Re: Python 2.7 TLS Broken on GitHub? [solved]

GlennNZ wrote:
Thanks Dave for the pointers

Cheers!

I came here to drink milk and kick ass....and I've just finished my milk.

[My Plugins] - [My Forums]

Posted on
Thu Mar 01, 2018 10:03 pm
kmarkley offline
Posts: 185
Joined: Nov 15, 2016

Re: Python 2.7 TLS Broken on GitHub? [solved]

The fix above fixes ghpu.py checking for releases, but not installing them. The method _getZipFileFromRelease also needs to be converted to curl for a full solution:

Code: Select all
    def _getZipFileFromRelease(self, release):
        # download and verify zipfile from the release package
        zipball = release.get('zipball_url', None)
        if (zipball == None):
            raise Exception('Invalid release package: no zipball')

        self._debug('Downloading zip file: %s' % zipball)

        # zipdata = urlopen(zipball).read()
        f = subprocess.Popen(["curl", "-L",  zipball], stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False)
        zipdata, err = f.communicate()
        self._debug(u'HTTP Err result:'+unicode(err) )
        self._debug(u'ReturnCode:{0}'.format(unicode(f.returncode)))
        zipfile = ZipFile(StringIO(zipdata))

        self._debug('Verifying zip file (%d bytes)...' % len(zipdata))
        if (zipfile.testzip() != None):
            raise Exception('Download corrupted')

        return zipfile

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 2 guests