How to make python work with modified OpenSSL (with GOST support)?

D

Denis Nikanorov2014-11-10 14:59:55

linux

Denis Nikanorov, 2014-11-10 14:59:55

I'm trying to get python 2.7 to work with OpenSSL compiled with GOST support. Configured OpenSSL
./config shared zlib enable-rfc3779
and then installed (make depend, make, make test, make install). Added to openssl.conf:

openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
default_algorithms = ALL

After that, the command started returning the following:openssl ciphers | tr ":" "\n" | grep GOST

GOST2001-GOST89-GOST89
GOST94-GOST89-GOST89

and openssl s_client -connect test.domain.ru:443 successfully connects to the site and requests are successfully completed (the standard lib does not work this way). After that I try to build a python with support for the new lib: I tried to uncomment the SSL variable in Modules/Setup.dist and a couple of lines below that relate to compiling ssl, I also checked the ssl_incs and ssl_libs variables in setup.py during installation (they contain exactly that folder containing the new opensl). Next, put the python in your home folder. But when I run this script, I still get the error

import urllib2
print(urllib2.urlopen('https://test.domain.ru/').read())


urllib2.URLError: <urlopen error [Errno 1] _ssl.c:501: error:140920F8:SSL routines:SSL3_GET_SERVER_HELLO:unknown cipher returned>

Does anyone know how to get Python to work with this modified OpenSSL, or is there another way to get Python to support GOST algorithms?
Operating system: Linux Mint 17 x64

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

D

Denis Nikanorov, 2016-03-29
@SlimHouse

As a result, through trial and error, such a solution was obtained (I will make a reservation that the solution can be said "on the knee", if someone offers options to make it stable, then I will be in favor).
1. In the openssl.cnf config:
- add at the very beginning
- add at the end

[openssl_def]
engines = engine_section
[engine_section]
gost = gost_section
[gost_section]
engine_id = gost
default_algorithms = ALL

We check that everything works with the commands:

openssl ciphers |tr ":" "\n" |grep GOST
openssl engine gost -t
openssl engine

2. Next, download the Python sources for assembly (tested on versions 2.7.8 and 2.7.9) and unpack, for example:
3. In the sources, open the Modules/_ssl.c file and do the following:
- look for the includes:

#include <openssl/x509.h>
#include <openssl/err.h>
#include <openssl/rand.h>

after them we add
- we are looking for the init_ssl function. In it before the lines

SSL_library_init();
SSL_load_error_strings();

insert
4. We collect Python and check the work with GOST.

D

dosbear, 2017-12-19
@dosbear

Thanks for your decision. I will supplement it with an example of using it to access sites
import ssl
import urllib2
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
ctx.set_ciphers('GOST2001-GOST89-GOST89:GOST94-GOST89-GOST89')
print urllib2.urlopen(" https:// test.domain.ru/ ", context=ctx).read()
Without declaring the context, urllib2 didn't work for me