Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #78040

Re: hashlib suddenly broken

References <mailman.14109.1411057681.18130.python-list@python.org> <541b1158$0$29967$c3e8da3$5496439d@news.astraweb.com> <CACwCsY7Q2SoZCr1w8k+fH=cV0zhfxBhyYDXJQZW5+VUus0k+5g@mail.gmail.com>
Date 2014-09-18 13:46 -0600
Subject Re: hashlib suddenly broken
From Larry Martell <larry.martell@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.14122.1411069574.18130.python-list@python.org> (permalink)

Show all headers | View raw

On Thu, Sep 18, 2014 at 1:22 PM, Larry Martell <larry.martell@gmail.com> wrote:
> On Thu, Sep 18, 2014 at 11:07 AM, Steven D'Aprano
> <steve+comp.lang.python@pearwood.info> wrote:
>> Larry Martell wrote:
>>
>>> I am on a mac running 10.8.5, python 2.7
>>>
>>> Suddenly, many of my scripts started failing with:
>>>
>>> ValueError: unsupported hash type sha1
>> [...]
>>> This just started happening yesterday, and I cannot think of anything
>>> that I've done that could cause this.
>>
>> Ah, the ol' "I didn't change anything, I swear!" excuse *wink*
>>
>> But seriously... did you perhaps upgrade Python prior to yesterday? Or
>> possibly an automatic update ran?
>
> No, I did not upgrade or install anything.
>
>> Check the creation/last modified dates on:
>>
>> /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/hashlib.py
>
> That was in my original post:
>
> $ ls -l /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/hashlib.py
> -rw-r--r--  1 root  wheel  5013 Apr 12  2013
> /System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/hashlib.py
>
>
>> but I expect that's probably not where the problem lies. My *wild guess* is
>> that your system updated SSL, and removed some underlying SHA-1 library
>> needed by hashlib. SHA-1 is pretty old, and there is now a known attack on
>> it, so some over-zealous security update may have removed it.
>>
>> If that's the case, it really is over-zealous, for although SHA-1 is
>> deprecated, the threat is still some years away. Microsoft, Google and
>> Mozilla have all announced that they will continue accepting it until 2017.
>> I can't imagine why Apple would removed it so soon.
>
>
> So you know how I could check and see if I have SHA-1 and when my SSL
> was updated?

Nothing appears to have been recently changed:

$ ls -la /System/Library/Frameworks/Python.framework/Versions/2.7/Extras/lib/python/OpenSSL
total 224
drwxr-xr-x  12 root  wheel     408 Jun 20  2012 .
drwxr-xr-x  41 root  wheel    1394 Apr 13  2013 ..
-rwxr-xr-x   1 root  wheel  124736 Apr 12  2013 SSL.so
-rw-r--r--   1 root  wheel     965 Apr 12  2013 __init__.py
-rw-r--r--   1 root  wheel     991 Apr 12  2013 __init__.pyc
-rwxr-xr-x   1 root  wheel  168544 Apr 12  2013 crypto.so
-rwxr-xr-x   1 root  wheel   40864 Apr 12  2013 rand.so
drwxr-xr-x  12 root  wheel     408 Jun 20  2012 test
-rw-r--r--   1 root  wheel    1010 Apr 12  2013 tsafe.py
-rw-r--r--   1 root  wheel    1775 Apr 12  2013 tsafe.pyc
-rw-r--r--   1 root  wheel     176 Apr 12  2013 version.py
-rw-r--r--   1 root  wheel     293 Apr 12  2013 version.pyc

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-18 10:27 -0600
  Re: hashlib suddenly broken John Gordon <gordon@panix.com> - 2014-09-18 16:47 +0000
    Re: hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-18 13:18 -0600
      Re: hashlib suddenly broken John Gordon <gordon@panix.com> - 2014-09-18 20:21 +0000
        Re: hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-18 15:30 -0600
  Re: hashlib suddenly broken Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-19 03:07 +1000
    Re: hashlib suddenly broken Chris Angelico <rosuav@gmail.com> - 2014-09-19 03:18 +1000
    Re: hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-18 13:22 -0600
    Re: hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-18 13:23 -0600
    Re: hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-18 13:46 -0600
    Re: hashlib suddenly broken Ned Deily <nad@acm.org> - 2014-09-18 13:44 -0700
    Re: hashlib suddenly broken Christian Heimes <christian@python.org> - 2014-09-18 22:49 +0200
    Re: hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-18 15:38 -0600
    Re: hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-18 15:39 -0600
    Re: hashlib suddenly broken Christian Heimes <christian@python.org> - 2014-09-19 00:17 +0200
    Re: hashlib suddenly broken Ned Deily <nad@acm.org> - 2014-09-18 15:19 -0700
      Re: hashlib suddenly broken Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2014-09-19 15:00 +1000
        Re: hashlib suddenly broken Larry Martell <larry.martell@gmail.com> - 2014-09-19 09:09 -0600

csiph-web