Question posted in 
I have a Django app running on an old CentOS 7 box, and to have my own python3 environment there I’m using venv and pip. Today I rebuilt my environment, and suddenly, I had an ssl related backtrace.
[root@miketug1 teleworker]# vpython manage.py showmigrations
Traceback (most recent call last):
File "manage.py", line 22, in <module>
execute_from_command_line(sys.argv)
File "/usr/lib/tug/env/lib64/python3.6/site-packages/django/core/management/__init__.py", line 364, in execute_from_command_line
utility.execute()
File "/usr/lib/tug/env/lib64/python3.6/site-packages/django/core/management/__init__.py", line 338, in execute
django.setup()
File "/usr/lib/tug/env/lib64/python3.6/site-packages/django/__init__.py", line 27, in setup
apps.populate(settings.INSTALLED_APPS)
File "/usr/lib/tug/env/lib64/python3.6/site-packages/django/apps/registry.py", line 108, in populate
app_config.import_models()
File "/usr/lib/tug/env/lib64/python3.6/site-packages/django/apps/config.py", line 202, in import_models
self.models_module = import_module(models_module_name)
File "/usr/lib64/python3.6/importlib/__init__.py", line 126, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 994, in _gcd_import
File "<frozen importlib._bootstrap>", line 971, in _find_and_load
File "<frozen importlib._bootstrap>", line 955, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 665, in _load_unlocked
File "<frozen importlib._bootstrap_external>", line 678, in exec_module
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
File "/etc/e-smith/web/django/teleworker/dashboard/models.py", line 9, in <module>
import teleworker.lib.common as commonlib
File "/etc/e-smith/web/django/teleworker/lib/common.py", line 35, in <module>
import requests
File "/usr/lib/tug/env/lib64/python3.6/site-packages/requests/__init__.py", line 95, in <module>
from urllib3.contrib import pyopenssl
File "/usr/lib/tug/env/lib64/python3.6/site-packages/urllib3/contrib/pyopenssl.py", line 46, in <module>
import OpenSSL.SSL
File "/usr/lib/tug/env/lib64/python3.6/site-packages/OpenSSL/__init__.py", line 8, in <module>
from OpenSSL import crypto, SSL
File "/usr/lib/tug/env/lib64/python3.6/site-packages/OpenSSL/SSL.py", line 664, in <module>
_lib.Cryptography_HAS_TLSEXT_HOSTNAME, "SNI not available"
AttributeError: module 'lib' has no attribute 'Cryptography_HAS_TLSEXT_HOSTNAME'
The versions of my modules are set in a requirements.txt file, which did not change. I was running pyOpenSSL 19.0.0, with Python 3.6. I upgraded to pyOpenSSL 20.0.0 and the problem went away, but I am confused as to how this could happen unless the 19.0.0 version on PyPI was changed, as I’ve used fixed versions of this module for some time now.
Can anyone explain what happened here? I’d like to avoid anything similar in the future. Thanks.
4
Answers
I think I found it. I didn't have the cryptography module in my requirements.txt, so it was upgraded to the latest version without upgrading pyOpenSSL which was in my requirements.txt file. Seems like some kind of dependency should have prevented this, but I'm updating my requirements.txt to include everything now.
The root cause for this issue is the latest cryptography-3.3 package which was released 20 hours ago; unfortunately, the pyopenssl-19 has a weird requirement (cryptography >=2.3) hence the pip install automatically upgraded the cryptography to 3.3.
There’s a new cryptography 3.3.1 which fixes the issue
We have both pip and pip3 installed. So the following sequence is what fixed it for me:
sudo apt update; pip install -U cryptography; sudo apt remove python3-openssl -y; sudo apt autoremove; pip3 install -U cryptography;