I'm having hard time with pyOpenssl server to negotiate TLS 1.3. I used openssl s_client(1.3 supported) to connect to the server with no luck. However the server works with version TLS 1.2 and below.
Could you please help what am I missing? Thanks in advance!
tls_server.py
-------------
import socket
from OpenSSL import SSL
sslctx = SSL.Context(SSL.TLSv1_2_METHOD)
sslctx.set_options(SSL.OP_NO_TLSv1_2 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1)
sslctx.set_cipher_list(b"TLS_AES_128_GCM_SHA256:AES128-GCM-SHA256")
sslctx.use_privatekey_file("key.pem")
sslctx.use_certificate_file("cert.pem")
bindsocket = socket.socket()
bindsocket.bind(('', 4433))
bindsocket.listen(5)
while True:
newsocket, fromaddr = bindsocket.accept()
sslconn = SSL.Connection(sslctx, newsocket)
sslconn.set_accept_state()
sslconn.do_handshake()
print(f"List of ciphers: {sslconn.get_cipher_list()}")
req = sslconn.read(4096)
print(req)
sslconn.write(b"HTTP/1.1 200 OK\r\nServer: my-special\r\nContent-length: 10\r\n\r\nHello!\r\n\r\n")
sslconn.set_shutdown(SSL.SENT_SHUTDOWN)
All I'm getting is the below error when I force my client to connect tls1.3 only
$ openssl version
OpenSSL 1.1.1d 10 Sep 2019
$ openssl s_client -connect localhost:4433 -tls1_3
4641068480:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
and the server returns the trace:
$ python3.8 tls_server.py
Traceback (most recent call last):
File "tls_server.py", line 18, in <module>
sobj.do_handshake()
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/OpenSSL/SSL.py", line 1934, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/OpenSSL/SSL.py", line 1671, in _raise_ssl_error
_raise_current_error()
File "/Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_post_process_client_hello', 'no shared cipher')]
$
with successful TLS 1.2 connection, I see the server returns the following ciphers confirming TLS 1.3 support.
$ python3.8 tls_server.py
List of ciphers: ['TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_AES_128_GCM_SHA256', 'AES128-GCM-SHA256']
b'GET /\n'
version of the tools I'm using
$ python3.8 -m OpenSSL.debug
pyOpenSSL: 19.1.0
cryptography: 2.9.2
cffi: 1.13.2
cryptography's compiled against OpenSSL: OpenSSL 1.1.1g 21 Apr 2020
cryptography's linked OpenSSL: OpenSSL 1.1.1g 21 Apr 2020
Pythons's OpenSSL: OpenSSL 1.1.1d 10 Sep 2019
Python executable: /Library/Frameworks/Python.framework/Versions/3.8/bin/python3.8
Python version: 3.8.1 (v3.8.1:1b293b6006, Dec 18 2019, 14:08:53)
[Clang 6.0 (clang-600.0.57)]
Platform: darwin
I'm not sure about this config:
sslctx = SSL.Context(SSL.TLSv1_2_METHOD)
sslctx.set_options(SSL.OP_NO_TLSv1_2 | SSL.OP_NO_TLSv1_1 | SSL.OP_NO_TLSv1)
Aren't you saying to only use TLSv1.2 and then also not to use TLSv1 - TLSv1.2?
Now there is no SSL.TLSv1_3_METHOD option and you’re supposed to use SSL.TLS_METHOD but looks like that is not exposed to pyopenssl yet.
It seems there is a (currently) open issue about how to configure this better but that still doesn’t add SSL.TLS_METHOD.
Related
I am using a PARSEC app to connect another machine, after upgrade ubuntu I have problem with login to app.
"Faild request /v2/auth/ Please check internet connection"
In log I have:
[D 2022-10-31 13:37:28] MTY_TLSHandshake: 'SSL_do_handhsake' failed with error -1:1
My openssl version /lib/x86_64-linux-gnu$ openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
docker version showing correct api version for both client and server when i run inside python it is throwing error as below.
# docker version
Client:
Version: 1.12.6
API version: 1.24
Package version: docker-1.12.6-48.git0fdc778.el7.x86_64
Go version: go1.8.3
Git commit: 0fdc778/1.12.6
Built: Thu Jul 20 00:06:39 2017
OS/Arch: linux/amd64
Server:
Version: 1.12.6
API version: 1.24
Package version: docker-1.12.6-48.git0fdc778.el7.x86_64
Go version: go1.8.3
Git commit: 0fdc778/1.12.6
Built: Thu Jul 20 00:06:39 2017
OS/Arch: linux/amd64
#
But when i run with python it is throwing error as below.
# python
Python 2.7.5 (default, Aug 29 2016, 10:12:21)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import docker
>>> client = docker.APIClient(base_url='unix://var/run/docker.sock')
>>> print client.version()
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/docker/api/daemon.py", line 177, in version
return self._result(self._get(url), json=True)
File "/usr/lib/python2.7/site-packages/docker/api/client.py", line 226, in _result
self._raise_for_status(response)
File "/usr/lib/python2.7/site-packages/docker/api/client.py", line 222, in _raise_for_status
raise create_api_error_from_http_exception(e)
File "/usr/lib/python2.7/site-packages/docker/errors.py", line 31, in create_api_error_from_http_exception
raise cls(e, response=response, explanation=explanation)
docker.errors.APIError: 400 Client Error: Bad Request ("client is newer than server (client API version: 1.30, server API version: 1.24)")
>>>
It says API of your docker python package doesn’t match the docker engine server API. You should install a docker python package compatible with 1.24 or update your docker engine API to 1.30.
Additionally, you can try assigning new value to your docker client as follows:
client = docker.DockerClient(base_url='unix://var/run/docker.sock', version="1.24")
OR
client = docker.APIClient(base_url='unix://var/run/docker.sock', version="1.24")
I am trying to update TLS1 to TLS1.1 or higher but after doing below changes, Getting error "SSLProtocol: Illegal protocol 'TLSv1.1'"
My Apache and openssl version are :-
httpd -v
Server version: Apache/2.4.2 (Unix)
Server built: Jul 16 2012 21:11:37
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Tue Sep 27 12:27:19 UTC 2016
Centos-version (6.7)
rpm --query centos-release
centos-release-6-7.el6.centos.12.3.x86_64
Did changes for ssl :-
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLProtocol -all +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2
SSLHonorCipherOrder on
I am not sure what is missing here, can anybody help me here?
Apache has to be compiled with OpenSSL when its installed.
Your Apache was apparently compiled back in 16th Jul 2012 when Apache 1.0.1 wasn't even released yet. So guessing it was compiled with the previous version (0.9.8) which doesn't support TLSv1.1.
At some point in the future someone has upgraded OpenSSL to a later version but not recompiled Apache.
As Apache 2.4 wasn't available as a packaged version way back in 2012 someone must have installed it manually and it's stayed on that old version ever since. I suggest you look in yum for a supported 2.4 version which may be available now or install it from source.
When trying to pull a image from the docker hub, I am receiving some weird errors. The specific error that the docker daemon returns is:
Error getting v2 registry: Get https://registry-1.docker.io/v2/1:
x509: certificate signed by unknown authority
The weird thing is that running "docker search x" runs fine and returns what was expected. Also curling the page(curl -vL registry-1.docker.io) and running the openssl s_client(openssl s_client -connect registry-1.docker.io:443) doesn't return any certificate errors.
I am not behind a corporate proxy or anything like that. I've tried a lot of solutions like adding certs to the /etc/docker/certs.d directory, reinstalling the ca-certificates package, rebooting my machine, and almost everything that google searches suggested.
I am running CentOS version 6.8.
My docker version:
Client:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built: Tue Oct 11 17:00:50 2016
OS/Arch: linux/amd64
Server:
Version: 1.12.2
API version: 1.24
Go version: go1.6.3
Git commit: bb80604
Built: Tue Oct 11 17:00:50 2016
OS/Arch: linux/amd64
Thanks!
I've added a new stack in amabari-server and built it. now after installing the ambari-server rpm on new hosts, when i start ambari-server,
it give following error:
20 Jun 2016 16:25:53,020 INFO [main] Configuration:1067 - Web App DIR test /usr/lib/ambari-server/web
20 Jun 2016 16:25:53,027 INFO [main] CertificateManager:68 - Initialization of root certificate
20 Jun 2016 16:25:53,027 INFO [main] CertificateManager:70 - Certificate exists:false
20 Jun 2016 16:25:53,027 INFO [main] CertificateManager:137 - Generation of server certificate
20 Jun 2016 16:25:55,627 INFO [main] ShellCommandUtil:44 - Command openssl genrsa -des3 -passout pass:**** -out /var/lib/ambari-server/keys/ca.key 4096 was finished with exit code: 0 - the operation was completely successfully.
20 Jun 2016 16:25:55,644 INFO [main] ShellCommandUtil:44 - Command openssl req -passin pass:**** -new -key /var/lib/ambari-server/keys/ca.key -out /var/lib/ambari-server/keys/ca.csr -batch was finished with exit code: 0 - the operation was completely successfully.
20 Jun 2016 16:25:55,654 WARN [main] ShellCommandUtil:46 - Command openssl ca -create_serial -out /var/lib/ambari-server/keys/ca.crt -days 365 -keyfile /var/lib/ambari-server/keys/ca.key -key **** -selfsign -extensions jdk7_ca -config /var/lib/ambari-server/keys/ca.config -batch -infiles /var/lib/ambari-server/keys/ca.csr was finished with exit code: 1 - an error occurred parsing the command options.
20 Jun 2016 16:25:55,663 WARN [main] ShellCommandUtil:46 - Command openssl pkcs12 -export -in /var/lib/ambari-server/keys/ca.crt -inkey /var/lib/ambari-server/keys/ca.key -certfile /var/lib/ambari-server/keys/ca.crt -out /var/lib/ambari-server/keys/keystore.p12 -password pass:**** -passin pass:****
was finished with exit code: 1 - an error occurred parsing the command options.
20 Jun 2016 16:25:55,696 INFO [main] AmbariServer:611 - Jetty is configuring qtp-ambari-agent with 4 reserved acceptors/selectors and a total pool size of 25 for 4 processors.
20 Jun 2016 16:25:55,717 INFO [main] ViewRegistry:1538 - Reading view archive /var/lib/ambari-server/resources/views/ambari-admin-2.2.2.1.0.jar.
20 Jun 2016 16:26:02,549 WARN [main] AbstractLifeCycle:204 - FAILED SslContextFactory#38aed8ad(/var/lib/ambari-server/keys/keystore.p12,/var/lib/ambari-server/keys/keystore.p12): java.io.FileNotFoundException: /var/lib/ambari-server/keys/keystore.p12 (No such file or directory)
java.io.FileNotFoundException: /var/lib/ambari-server/keys/keystore.p12 (No such file or directory)
Can anyone help with this?
I'm using CentOS7 for ambari-installation.
mkdir /var/lib/ambari-server/keys/db/newcerts/ ----
I met this problem when I install ambari with the RPM package that built by myself.
Then I find the answer of this question is that missing folder.
This folder missed when I clone the source from my git repository,because it's empty.
So, check the "newcerts" folder in your source or your ambari-server host