Original Message:
Sent: Wed March 30, 2022 03:45 AM
From: Ayappan P
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
We have built cryptography 3.4.7 with openssl 1.1.1 but because of some internal process here, uploading it to Toolbox is getting delayed.
------------------------------
Ayappan P
Original Message:
Sent: Wed March 30, 2022 03:31 AM
From: Stephan Dietl
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
Hello @Ayappan P !
After upgrading to the newest available packages today:
# python3 -m pip list|grep -E "ansible |crypto|requests"
ansible 2.9.25
cryptography 3.2.1 # no upgrade available!
requests 2.27.1
I still get the aforementioned error message:
# ansibleERROR! Unexpected Exception, this is probably a bug: You are linking against OpenSSL 1.0.2, which is no longer supported by the OpenSSL project. To use this version of cryptography you need to upgrade to a newer version of OpenSSL. For this version only you can also set the environment variable CRYPTOGRAPHY_ALLOW_OPENSSL_102 to allow OpenSSL 1.0.2.the full traceback was:Traceback (most recent call last): File "/opt/freeware/bin/ansible", line 92, in <module> mycli = getattr(__import__("ansible.cli.%s" % sub, fromlist=[myclass]), myclass) File "/opt/freeware/lib/python3.7/site-packages/ansible/cli/__init__.py", line 22, in <module> from ansible.inventory.manager import InventoryManager File "/opt/freeware/lib/python3.7/site-packages/ansible/inventory/manager.py", line 38, in <module> from ansible.plugins.loader import inventory_loader File "/opt/freeware/lib/python3.7/site-packages/ansible/plugins/loader.py", line 23, in <module> from ansible.parsing.utils.yaml import from_yaml File "/opt/freeware/lib/python3.7/site-packages/ansible/parsing/utils/yaml.py", line 17, in <module> from ansible.parsing.yaml.loader import AnsibleLoader File "/opt/freeware/lib/python3.7/site-packages/ansible/parsing/yaml/loader.py", line 30, in <module> from ansible.parsing.yaml.constructor import AnsibleConstructor File "/opt/freeware/lib/python3.7/site-packages/ansible/parsing/yaml/constructor.py", line 30, in <module> from ansible.parsing.vault import VaultLib File "/opt/freeware/lib/python3.7/site-packages/ansible/parsing/vault/__init__.py", line 52, in <module> CRYPTOGRAPHY_BACKEND = default_backend() File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend from cryptography.hazmat.backends.openssl.backend import backend File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module> from cryptography.hazmat.backends.openssl.backend import backend File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 117, in <module> from cryptography.hazmat.bindings.openssl import binding File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 222, in <module> _verify_openssl_version(Binding.lib) File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 183, in _verify_openssl_version "You are linking against OpenSSL 1.0.2, which is no longer "RuntimeError: You are linking against OpenSSL 1.0.2, which is no longer supported by the OpenSSL project. To use this version of cryptography you need to upgrade to a newer version of OpenSSL. For this version only you can also set the environment variable CRYPTOGRAPHY_ALLOW_OPENSSL_102 to allow OpenSSL 1.0.2.
Is there more to be done to get rid of this error?
Thanks!
------------------------------
Stephan Dietl
Original Message:
Sent: Mon March 14, 2022 01:21 PM
From: Ayappan P
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
We are working on updating the version of requests package in Toolbox which will fix this issue.
Hopefully we will be able to update it before the end of next week.
------------------------------
Ayappan P
Original Message:
Sent: Mon March 07, 2022 07:31 AM
From: Stephan Dietl
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
Hello!
Please, I want to ask again if there are any news regarding this issue?
Thanks,
With kind regards,
Stephan Dietl
------------------------------
Stephan Dietl
Original Message:
Sent: Thu January 06, 2022 05:50 AM
From: Rishita Saha
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
Hi Stephan,
We are looking into the issue and we shall fix this in the next update.
Regards,
------------------------------
Rishita Saha
Original Message:
Sent: Fri December 17, 2021 09:10 AM
From: Stephan Dietl
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
Hello!
Just a quick addendum so that it may not be overlooked, this is what I get when I start an ansible job with the environment variable set:
/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:179: CryptographyDeprecationWarning: OpenSSL version 1.0.2 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will completely remove support for it.
utils.CryptographyDeprecationWarning,
...
/opt/freeware/lib/python3.7/site-packages/requests/__init__.py:91: RequestsDependencyWarning: urllib3 (1.26.7) or chardet (3.0.4) doesn't match a supported version!
RequestsDependencyWarning)
Is this also fixed by this? Thanks!
------------------------------
Stephan Dietl
Original Message:
Sent: Thu December 16, 2021 05:21 AM
From: Stephan Dietl
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
Hello @SANGAMESH MALLAYYA !
Thanks for the information, I´ll wait for the updated package :) !
With kind regards,
Stephan Dietl
------------------------------
Stephan Dietl
Original Message:
Sent: Thu December 16, 2021 03:33 AM
From: SANGAMESH MALLAYYA
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
Hi Stephan,
Yes. We are working to build cryptography with latest openssl-1.1.1.
------------------------------
SANGAMESH
Original Message:
Sent: Wed December 15, 2021 07:52 AM
From: Stephan Dietl
Subject: Ansible with Python3 and cryptography 3.2.1 gives OpenSSL error even after upgrade to OpenSSL 1.1.1
Hello!
I´ve been using Ansible sucessfully for quite a while on our AIX LPARs and now ran into the following problem:
# ansible -u $USER -m shell -a 'id' $SERVER
ERROR! Unexpected Exception, this is probably a bug: You are linking against OpenSSL 1.0.2, which is no longer supported by the OpenSSL project. To use this version of cryptography you need to upgrade to a newer version of OpenSSL. For this version only you can also set the environment variable CRYPTOGRAPHY_ALLOW_OPENSSL_102 to allow OpenSSL 1.0.2.
the full traceback was:
Traceback (most recent call last):
File "/opt/freeware/bin/ansible", line 92, in <module>
mycli = getattr(__import__("ansible.cli.%s" % sub, fromlist=[myclass]), myclass)
File "/opt/freeware/lib/python3.7/site-packages/ansible/cli/__init__.py", line 22, in <module>
from ansible.inventory.manager import InventoryManager
File "/opt/freeware/lib/python3.7/site-packages/ansible/inventory/manager.py", line 38, in <module>
from ansible.plugins.loader import inventory_loader
File "/opt/freeware/lib/python3.7/site-packages/ansible/plugins/loader.py", line 23, in <module>
from ansible.parsing.utils.yaml import from_yaml
File "/opt/freeware/lib/python3.7/site-packages/ansible/parsing/utils/yaml.py", line 17, in <module>
from ansible.parsing.yaml.loader import AnsibleLoader
File "/opt/freeware/lib/python3.7/site-packages/ansible/parsing/yaml/loader.py", line 30, in <module>
from ansible.parsing.yaml.constructor import AnsibleConstructor
File "/opt/freeware/lib/python3.7/site-packages/ansible/parsing/yaml/constructor.py", line 30, in <module>
from ansible.parsing.vault import VaultLib
File "/opt/freeware/lib/python3.7/site-packages/ansible/parsing/vault/__init__.py", line 52, in <module>
CRYPTOGRAPHY_BACKEND = default_backend()
File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/backends/__init__.py", line 15, in default_backend
from cryptography.hazmat.backends.openssl.backend import backend
File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/backends/openssl/__init__.py", line 7, in <module>
from cryptography.hazmat.backends.openssl.backend import backend
File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 117, in <module>
from cryptography.hazmat.bindings.openssl import binding
File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 222, in <module>
_verify_openssl_version(Binding.lib)
File "/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py", line 183, in _verify_openssl_version
"You are linking against OpenSSL 1.0.2, which is no longer "
RuntimeError: You are linking against OpenSSL 1.0.2, which is no longer supported by the OpenSSL project. To use this version of cryptography you need to upgrade to a newer version of OpenSSL. For this version only you can also set the environment variable CRYPTOGRAPHY_ALLOW_OPENSSL_102 to allow OpenSSL 1.0.2.
Python3 is displaying:
# python3 -c 'import ssl; print(ssl.OPENSSL_VERSION)'
OpenSSL 1.0.2u 20 Dec 2019
But installed is only the OpenSSL 1.1.1 from the IBM website:
# lslpp -L|grep -i openssl
openssl.base 1.1.1.1200 C F Open Secure Socket Layer
# openssl version
OpenSSL 1.1.1l 24 Aug 2021
My environment looks like this:
# python3 -m pip list
Package Version
------------------- ---------
ansible 2.9.14
ansible-builder 0.6.0
ansible-cmdb 1.31
ansible-generator 2.1.4
ansible-runner 1.4.7
certifi 2019.9.11
cffi 1.13.2
chardet 3.0.4
cryptography 3.2.1
dataclasses 0.6
docutils 0.17.1
idna 2.8
Jinja2 2.10.3
jmespath 0.9.4
jsonxs 0.6
lockfile 0.12.2
Mako 1.1.4
MarkupSafe 1.1.1
pexpect 4.8.0
pip 20.1.1
psutil 5.8.0
ptyprocess 0.7.0
pycparser 2.19
python-daemon 2.3.0
python-tss-sdk 0.0.6
PyYAML 5.4.1
requests 2.22.0
requirements-parser 0.2.0
sentry-sdk 1.1.0
setuptools 47.1.0
six 1.13.0
toml 0.10.2
urllib3 1.26.7
ushlex 0.99.1
# yum list installed python*
Loaded plugins: allowdowngrade, changelog, filter-data, merge-conf, ps, versionlock
Installed Packages
python.ppc 2.7.18-3 @AIX_Toolbox
python-dateutil.noarch 2.6.0-1 @AIX_Toolbox_noarch
python-devel.ppc 2.7.18-3 @AIX_Toolbox
python-iniparse.noarch 0.4-1 @AIX_Toolbox_noarch
python-pycurl.ppc 7.43.0-1 @AIX_Toolbox
python-requests.noarch 2.4.3-1 @AIX_Toolbox_noarch
python-setuptools.noarch 0.9.8-2 @AIX_Toolbox_noarch
python-six.noarch 1.10.0-1 @AIX_Toolbox_noarch
python-tools.ppc 2.7.18-3 @AIX_Toolbox
python-urlgrabber.noarch 3.10.1-1 @AIX_Toolbox_noarch
python3.ppc 3.7.11-1 @AIX_Toolbox
python3-certifi.noarch 2019.9.11-1 @AIX_Toolbox_noarch
python3-cffi.ppc 1.13.2-1 @AIX_Toolbox
python3-chardet.noarch 3.0.4-1 @AIX_Toolbox_noarch
python3-cryptography.ppc 3.2.1-1 @AIX_Toolbox
python3-devel.ppc 3.7.11-1 @AIX_Toolbox
python3-idna.noarch 2.8-1 @AIX_Toolbox_noarch
python3-jinja2.noarch 2.10.3-1 @AIX_Toolbox_noarch
python3-jmespath.noarch 0.9.4-1 @AIX_Toolbox_noarch
python3-markupsafe.ppc 1.1.1-1 @AIX_Toolbox
python3-pycparser.noarch 2.19-1 @AIX_Toolbox_noarch
python3-pyyaml.ppc 5.4.1.1-1 @AIX_Toolbox
python3-requests.noarch 2.22.0-1 @AIX_Toolbox_noarch
python3-six.noarch 1.13.0-1 @AIX_Toolbox_noarch
python3-urllib3.noarch 1.26.7-1 @AIX_Toolbox_noarch
If I set the environment variable it works again but with a warning:
export CRYPTOGRAPHY_ALLOW_OPENSSL_102=1
# ansible -u $USER -m shell -a 'id' $SERVER
/opt/freeware/lib64/python3.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:179: CryptographyDeprecationWarning: OpenSSL version 1.0.2 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will completely remove support for it.
utils.CryptographyDeprecationWarning,
How do I get the AIX toolbox python3 to recognize the new OpenSSL?
Thanks in advance for any help,
With kind regards,
Stephan Dietl (Porsche Informatik)
------------------------------
Stephan Dietl
------------------------------