Azure-sdk-for-python: [uamqp] uAMQP reporting "Unable to set external certificates"

This happened to me on OSX with Anaconda but @johanste reports it happens in a non-Anaconda virtualenv. The proximate location of the error is here:

https://github.com/Azure/azure-uamqp-python/blob/7f667c1fb9c0d3bc5a2783af68ffe2dac1c6175b/src/xio.pyx#L80-L83

If you dig a bit further in to the call there, after a few levels of indirection things seem to land in a C function io_interface_description->concrete_io_setoption which I assume is implemented in the openssl library on OSX.

Hey guys, I am having the same issue with the latest version of openssl (1.1.1d) on osx with a virtualenv. I have the following issue: Unable to set external certificates. Do you know any workaround ?

Hi @oeeckhoutte ,

thanks for reporting.
are you using the library on Mac? and does the issue impact the functionality?

Yes I am using the library on Mac. Yes it gives me a segmentation fault.

Thanks @oeeckhoutte

Can you provide more context on this? e.g.

• What's the version of eventhub and uamqp library you're using? (You can use pip list to have a check.)
  
  
  
  • Does the segmentation fault happen in the case of sending or receiving or both?
  
  
  • Does the segmentation fault happen immediately after you start the program. (Not being able to send/receive entirely).
  
  

It would be great if you could provide the code snippet that can reproduce the segmentation fault.

Same issue.

I'm using azure-servicebus 0.50.2, which uses uamqp 1.2.5. Also, I'm using python 3.7.6 and Mac 10.15.2.

Here's how to re-produce the error:

queue_client = QueueClient.from_connection_string(connection_string, queue_name)
queue_client.list_sessions()  // return Unable to set external certificates.

Hi @Yaowei-Du , thanks for providing the code. We're investigating the issue.

Seeing the same issue on MacOSX 10.15.2, python 3.8.1 and azure-cli 2.0.80

Latest update on this issue:

I've located the codes which lead to the warning:

On MacOS, when creating the TLSIO and its options in tlsio_appleios.c (code here):

tlsio_options_initialize(&result->options, TLSIO_OPTION_BIT_NONE);

The options of tlsio is set to TLSIO_OPTION_BIT_NONE.

However, in tlsio_options_set in tlsio_options.c when trying to set the cert (code here):

// Initialize the TLSIO_OPTIONS struct
void tlsio_options_initialize(TLSIO_OPTIONS* options, int supported_options)
{
    // Using static function rules, so 'options' is not checked for NULL
    //
    // The supported_options value does not need validation because undefined bits are
    // ignored, while any valid missing bits result in an "option not supported" error
    // that will show up in unit testing.
    options->supported_options = supported_options;
    options->trusted_certs = NULL;
    options->x509_type = TLSIO_OPTIONS_x509_TYPE_UNSPECIFIED;
    options->x509_cert = NULL;
    options->x509_key = NULL;
}

TLSIO_OPTIONS_RESULT tlsio_options_set(TLSIO_OPTIONS* options,
    const char* optionName, const void* value)
{
    // codes...
        if ((options->supported_options & TLSIO_OPTION_BIT_TRUSTED_CERTS) == 0)  # The check will fail here.
        {
            LogError("Trusted certs option not supported");
            result = TLSIO_OPTIONS_RESULT_ERROR;
        }
    // codes...

The code is checking supported_options TLSIO_OPTION_BIT_TRUSTED_CERTS against TLSIO_OPTION_BIT_NONE leading to the cert setting failure -- "Trusted certs option not supported".

After updating tlsio_options_initialize(&result->options, TLSIO_OPTION_BIT_NONE); to tlsio_options_initialize(&result->options, TLSIO_OPTION_BIT_TRUSTED_CERTS); in tlsio_appleios.c, there is no more warning.

I don't see other platform ssl implementation doing such check.
The behavior of tls option on MacOS needs further investigation whether it's safe to update so.

@oeeckhoutte Did you turn on the uamqp log stuff?

On MacOS there is a known issue that enabling uamqp logging cause segmentation crashing.
As far as I know the certificate stuff doesn't cause crash.

Hi,
Same here on MacOS X 10.15.3 with python 3.8.1 and azure-servicebus 0.50.2.

Happens when I call azure.servicebus.ServiceBusClient.get_subscription(topic, sub).get_receiver(mode=ReceiveSettleMode.PeekLock, NEXT_AVAILABLE)

Opened an issue in the azure-c-shared-utility repo: https://github.com/Azure/azure-c-shared-utility/issues/426

PR created in uamqp repo: https://github.com/Azure/azure-uamqp-python/pull/143

@oeeckhoutte Did you turn on the uamqp log stuff?

On MacOS there is a known issue that enabling uamqp logging cause segmentation crashing.
As far as I know the certificate stuff doesn't cause crash.

That's true .I got the same issue... your comment helps me o lot

Segfault fixed here: https://github.com/Azure/azure-uamqp-python/pull/147.

(Although apparently the fix doesn't fly with the Windows builds.)

Hi all,

uamqp v1.2.7 is out which should fix the problem -- https://pypi.org/project/uamqp/1.2.7/

please install the latest uamqp library by pip install uamqp==1.2.7 or pip install uamqp --grade

Feel free to re-open the issue if problem still exists.