I would like to write a server/client TLS1.3 set of scripts in Python. Therefore, I use tlslite-ng library as only one which has TLS1.3 on board.
However, even my simple code fails:
#openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.pem -out certificate.pem
#
import os
import socket
#import sys
from tlslite.api import *
s = open("./certificate.pem").read()
x509 = X509()
x509.parse(s)
certChain = X509CertChain([x509])
#print (certChain)
s = open("./privateKey.pem").read()
privateKey = parsePEMKey(s, private=True)
#print (privateKey)
host = '127.0.1.1'
port = 8888
payload = 1500
server_address = (host, port)
def start_TLS_server():
socket_TLS = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socket_TLS.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
socket_TLS.bind(server_address)
socket_TLS.listen(1)
#synchro = synchroSocket.accept()
connection = TLSConnection(socket_TLS)
settings = HandshakeSettings()
settings.minKeySize = 2048
settings.cipherNames = ["aes256"]
settings.minVersion = (3,1)
connection.handshakeServer(certChain=certChain, privateKey=privateKey, reqCert=True, settings=settings)
#connection.session.clientCertChain # X509CertChain
#connection.session.serverCertChain # X509CertChain
print(connection)
print("TLS server is running...")
while True:
data = connection.read(payload)
if not data:
break
connection.write(data)
connection.close()
if __name__ == "__main__":
start_TLS_server()
I'm getting error like this:
root#Admin-PC:/mnt/c/Users/andre/Documents/Visual Studio Code/Projects/SSNProject/TLSvsNPF# python3 TLSserver.py
<tlslite.tlsconnection.TLSConnection object at 0x7f0c9142fe48>
Traceback (most recent call last):
File "TLSserver.py", line 89, in <module>
start_TLS_server()
File "TLSserver.py", line 58, in start_TLS_server
connection.handshakeServer(certChain=certChain, privateKey=privateKey, reqCert=True, settings=settings)
File "/usr/local/lib/python3.5/dist-packages/tlslite/tlsconnection.py", line 1191, in handshakeServer
nextProtos=nextProtos, anon=anon, alpn=alpn, sni=sni):
File "/usr/local/lib/python3.5/dist-packages/tlslite/tlsconnection.py", line 1220, in handshakeServerAsync
for result in self._handshakeWrapperAsync(handshaker, checker):
File "/usr/local/lib/python3.5/dist-packages/tlslite/tlsconnection.py", line 2216, in _handshakeWrapperAsync
for result in handshaker:
File "/usr/local/lib/python3.5/dist-packages/tlslite/tlsconnection.py", line 1262, in _handshakeServerAsyncHelper
anon, alpn, sni):
File "/usr/local/lib/python3.5/dist-packages/tlslite/tlsconnection.py", line 1485, in _serverGetClientHello
HandshakeType.client_hello):
File "/usr/local/lib/python3.5/dist-packages/tlslite/tlsrecordlayer.py", line 657, in _getMsg
for result in self._getNextRecord():
File "/usr/local/lib/python3.5/dist-packages/tlslite/tlsrecordlayer.py", line 829, in _getNextRecord
for result in self._getNextRecordFromSocket():
File "/usr/local/lib/python3.5/dist-packages/tlslite/tlsrecordlayer.py", line 853, in _getNextRecordFromSocket
for result in self._recordLayer.recvRecord():
File "/usr/local/lib/python3.5/dist-packages/tlslite/recordlayer.py", line 695, in recvRecord
for result in self._recordSocket.recv():
File "/usr/local/lib/python3.5/dist-packages/tlslite/recordlayer.py", line 188, in recv
for record in self._recvHeader():
File "/usr/local/lib/python3.5/dist-packages/tlslite/recordlayer.py", line 122, in _recvHeader
for result in self._sockRecvAll(1):
File "/usr/local/lib/python3.5/dist-packages/tlslite/recordlayer.py", line 99, in _sockRecvAll
socketBytes = self.sock.recv(length - len(buf))
File "/usr/local/lib/python3.5/dist-packages/tlslite/bufferedsocket.py", line 54, in recv
return self.socket.recv(bufsize)
OSError: [Errno 107] Transport endpoint is not connected
root#Admin-PC:/mnt/c/Users/andre/Documents/Visual Studio Code/Projects/SSNProject/TLSvsNPF#
As you may notice I am on Windows 10's Linux subsutem Ubuntu 16.04 LTS. I understand that mistake is somewhere in certificates but it is not clear where... Any suggestions?
Thank you
OSError: [Errno 107] Transport endpoint is not connected
you need to call accept() on the listening socket to get the socket and connection info which you wrap TLSConnection around.
See tlstest.py for an example.
Do note that you need to use the tls-1.3 branch for the TLS 1.3 support to be present, and aes256 cipher is incompatible with TLS 1.3 (aes256 is a name used for CBC mode cipher, no CBC mode ciphers are defined for TLS 1.3, you need to use aes256gcm or one of the other AEAD ciphers)
Related
I'm trying to run a simple python script to access s3 buckets in minio server in WINDOWS. The server is using self signed certificate. There's an error in SSL handshake. I have tried all possible ways to correct it but it's still throwing the error.
My python script
from minio import Minio
from minio.error import (ResponseError, BucketAlreadyOwnedByYou,
BucketAlreadyExists)
def new():
minioClient = Minio('10.177.218.8:9000',access_key='minio_key',secret_key='password',secure=True)
buckets = minioClient.list_buckets();
for bucket in buckets:
print(bucket.name, bucket.creation_date)
new()
This is the error I'm getting
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\connectionpool.py", line 665, in urlopen
httplib_response = self._make_request(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\connectionpool.py", line 376, in _make_request
self._validate_conn(conn)
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\connectionpool.py", line 994, in _validate_conn
conn.connect()
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\connection.py", line 352, in connect
self.sock = ssl_wrap_socket(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\util\ssl_.py", line 383, in ssl_wrap_socket
return context.wrap_socket(sock)
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1040, in _create
self.do_handshake()
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\ssl.py", line 1309, in
do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to
get local issuer certificate (_ssl.c:1108)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "C:\Users\Admin\Documents\S3\new.py", line 21, in <module>
new()
File "C:\Users\Admin\Documents\S3\new.py", line 11, in new
buckets = minioClient.list_buckets();
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\minio-5.0.9-
py3.8.egg\minio\api.py", line 427, in list_buckets
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\poolmanager.py", line 330, in urlopen
response = conn.urlopen(method, u.request_uri, **kw)
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\connectionpool.py", line 747, in urlopen
return self.urlopen(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\connectionpool.py", line 747, in urlopen
return self.urlopen(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\connectionpool.py", line 747, in urlopen
return self.urlopen(
[Previous line repeated 2 more times]
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\connectionpool.py", line 719, in urlopen
retries = retries.increment(
File "C:\Users\Admin\AppData\Local\Programs\Python\Python38-32\lib\site-packages\urllib3-1.25.8-
py3.8.egg\urllib3\util\retry.py", line 436, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.177.218.8', port=9000): Max retries
exceeded with url: / (Caused by SSLError(SSLCertVerificationError(1, '[SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate
(_ssl.c:1108)')))
I have installed the certificate in Trusted store also. How do I solve this in WINDOWS?
I was finally able to correct my SSL VERIFY error on Windows by doing the following:
Execute print(requests.certs.where()) and copy the full file path.
Create a variable in your script like so and paste the file path:
cafile = r'lib\site-packages\certifi\cacert.pem'
Execute the request with verify set to new variable: page = requests.get(URL_STRING, verify=cafile)
Do not set verify = False if all possible
Perhaps this will save some other SSL weary soul as well.
Easy solution, use a custom httpClient with Minio:
import urllib3
httpClient = urllib3.PoolManager()
minioClient = Minio(....,
.....
access_key=...,
secret_key=...,
http_client = httpClient)
import requests
url = 'https://v11.com:8080'
res = requests.get(url, verify = 'ca.arraynetca.cert.pem')
Error:
Traceback (most recent call last):
File "C:\Users\dbansal\AppData\Local\Programs\Python\Python37-32\lib\site-packages\urllib3\contrib\pyopenssl.py", line 472, in wrap_socket
cnx.do_handshake()
File "C:\Users\dbansal\AppData\Local\Programs\Python\Python37-32\lib\site-packages\OpenSSL\SSL.py", line 1716, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "C:\Users\dbansal\AppData\Local\Programs\Python\Python37-32\lib\site-packages\OpenSSL\SSL.py", line 1456, in _raise_ssl_error
_raise_current_error()
File "C:\Users\dbansal\AppData\Local\Programs\Python\Python37-32\lib\site-packages\OpenSSL_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_parse_stoc_server_name', 'bad extension')]
"""
ssl Server is running with TLSv1:TLSv11:TLSv12:TLSv13.
through openssl s_client -connect ssl handshake is working fine using tls1_2 protocol.
"""
My redis server is running under ubuntu 16.04 and I have RQ Dashboard running to monitor the queue. The redis server has a password which I supply for the initial connection. Here's my code:
from rq import Queue, Connection, Worker
from redis import Redis
from dblogger import DbLogger
def _redisCon():
redis_host = "192.168.1.169"
redis_port = "6379"
redis_password = "SecretPassword"
return Redis(host=redis_host, port=redis_port, password=redis_password)
rcon = _redisCon()
if rcon is not None:
with Connection(rcon):
DbLogger.log("rqworker", 0, "Launching Worker", "launching an RQ Worker - default Queue")
worker = Worker(list(map(Queue, 'default'))) # this works - I see the worker registered in RQ dashboard
worker.work() # this eventually fails with the Connection error:
"""
16:28:49 RQ worker 'rq:worker:steve-imac.95379' started, version 0.12.0
16:28:49 *** Listening on default...
16:28:49 Cleaning registries for queue: default
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/redis/connection.py", line 177, in _read_from_socket
raise socket.error(SERVER_CLOSED_CONNECTION_ERROR)
OSError: Connection closed by server.
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/redis/client.py", line 668, in execute_command
return self.parse_response(connection, command_name, **options)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/redis/client.py", line 680, in parse_response
response = connection.read_response()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/redis/connection.py", line 624, in read_response
response = self._parser.read_response()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/redis/connection.py", line 284, in read_response
response = self._buffer.readline()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/redis/connection.py", line 216, in readline
self._read_from_socket()
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/redis/connection.py", line 191, in _read_from_socket
(e.args,))
redis.exceptions.ConnectionError: Error while reading from socket: ('Connection closed by server.',)
File "/Library/Frameworks/Python.framework/Versions/3.7/lib/python3.7/site-packages/redis/connection.py", line 489, in connect
raise ConnectionError(self._error_message(e))
redis.exceptions.ConnectionError: Error 61 connecting to 192.168.1.169:6379. Connection refused.
"""
I've tried removing the password and enabling the unixsocket in the redis.conf -- neither seemed to help. This seems to be happening in some sort of timeout, since in other testing the worker actually loads a task and executes it before eventually dying with this error.
Ubuntu 14.04 and 12.04 (all tested), 64bit
pip install tornado (ver 4.1)
curl -X POST -v -k https://remote_ip:8080
Error as below:
```
ERROR:tornado.application:Exception in callback (<socket._socketobject object at 0x7fb670a4ad00>, <function null_wrapper at 0x7fb670a05aa0>)
Traceback (most recent call last):
File "/usr/local/lib/python2.7/dist-packages/tornado/ioloop.py", line 840, in start
handler_func(fd_obj, events)
File "/usr/local/lib/python2.7/dist-packages/tornado/stack_context.py", line 275, in null_wrapper
return fn(*args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", line 223, in accept_handler
callback(connection, address)
File "/usr/local/lib/python2.7/dist-packages/tornado/tcpserver.py", line 225, in _handle_connection
do_handshake_on_connect=False)
File "/usr/local/lib/python2.7/dist-packages/tornado/netutil.py", line 470, in ssl_wrap_socket
return ssl.wrap_socket(socket, **dict(context, **kwargs))
File "/usr/lib/python2.7/ssl.py", line 489, in wrap_socket
ciphers=ciphers)
File "/usr/lib/python2.7/ssl.py", line 243, in __init__
ciphers)
SSLError: _ssl.c:295: Both the key & certificate files must be specified
My server code looks like this:
```
import tornado
import tornado.web
import tornado.httpserver
import tornado.ioloop
class Docker(tornado.web.RequestHandler):
def post(self, *args, **kwargs):
self.write('1\n')
application = tornado.web.Application(
handlers=[
(r'/', Docker),
],
debug=True,
)
if __name__ == '__main__':
ssl_options={'certfile': 'certificate.crt',
'keyfile': 'privateKey.key'},
srv = tornado.httpserver.HTTPServer(application, xheaders=True, ssl_options=ssl_options)
srv.bind(8080)
srv.start()
tornado.ioloop.IOLoop.instance().start()
Note that I use openssl to generate the certificate and key file:
openssl genrsa -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Especially, when I added one key into the ssl_options dict, cert_reqs=ssl.CERT_NONE, enven more strange error appeared:
File /usr/local/lib/python2.7/dist-packages/tornado/netutil.py:
return ssl.wrap_socket(socket, **dict(context, **kwargs))
dictionary update sequence element #0 has length 1 2 is required
I'm really desperate to make my tornado app work properly under HTTPS, could you help?
You have an extra comma after the definition of ssl_options. This makes ssl_options a tuple containing a dictionary, instead of a dictionary (see Python tuple trailing comma syntax rule). Remove that and things should work.
i have added djcelery and kombu.transport.django to django apps.
settings.py:
import djcelery
djcelery.setup_loader()
from .celery import app as celery_app
BROKER_URL = "redis://abc:abc#localhost:6379/0"
CELERYBEAT_SCHEDULER = "djcelery.schedulers.DatabaseScheduler"
CELERY_TIMEZONE = "Europe/London"
CELERY_ENABLE_UTC = True
# store AsyncResult in redis
CELERY_RESULT_BACKEND = "redis"
REDIS_HOST = "localhost"
REDIS_PORT = 6379
REDIS_DB = 0
REDIS_VHOST = 0
REDIS_USER="xyz"
REDIS_PASSWORD="xyz"
REDIS_CONNECT_RETRY = True
celery.py
from __future__ import absolute_import
import os
from celery import Celery
from django.conf import settings
from . import celeryconfig
# set the default Django settings module for the 'celery' program.
os.environ.setdefault('DJANGO_SETTINGS_MODULE', 'config.settings')
app = Celery('apps')
# Using a string here means the worker will not have to
# pickle the object when using Windows.
app.config_from_object('django.conf:settings')
app.autodiscover_tasks(lambda: settings.INSTALLED_APPS)
#app.task(bind=True)
def debug_task(self):
print('Request: {0!r}'.format(self.request))
celery supervisor configuration:
[program:celeryd]
command=/home/vagrant/.virtualenvs/project/bin/python /vagrant/project/manage.py celeryd -B -E -c 1 --settings=config.settings
directory=/vagrant/project
user=vagrant
autostart=true
autorestart=true
stdout_logfile=/var/log/supervisor/celeryd.log
stderr_logfile=/var/log/supervisor/celeryd_err.log
when a task is scheduled using django-celery interface which supposed to download some files, following errors are thrown:
Traceback (most recent call last):
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/celery/beat.py", line 203, in maybe_due
result = self.apply_async(entry, publisher=publisher)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/celery/beat.py", line 259, in apply_async
entry, exc=exc)), sys.exc_info()[2])
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/celery/beat.py", line 251, in apply_async
**entry.options)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/celery/app/task.py", line 555, in apply_async
**dict(self._get_exec_options(), **options)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/celery/app/base.py", line 323, in send_task
reply_to=reply_to or self.oid, **options
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/celery/app/amqp.py", line 302, in publish_task
**kwargs
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/messaging.py", line 168, in publish
routing_key, mandatory, immediate, exchange, declare)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/connection.py", line 440, in _ensured
return fun(*args, **kwargs)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/messaging.py", line 180, in _publish
[maybe_declare(entity) for entity in declare]
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/messaging.py", line 111, in maybe_declare
return maybe_declare(entity, self.channel, retry, **retry_policy)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/common.py", line 99, in maybe_declare
return _maybe_declare(entity)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/common.py", line 110, in _maybe_declare
entity.declare()
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/entity.py", line 505, in declare
self.queue_declare(nowait, passive=False)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/entity.py", line 531, in queue_declare
nowait=nowait)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/transport/virtual/__init__.py", line 447, in queue_declare
return queue_declare_ok_t(queue, self._size(queue), 0)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/transport/redis.py", line 651, in _size
sizes = cmds.execute()
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/redis/client.py", line 2157, in execute
conn.disconnect()
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/transport/redis.py", line 800, in disconnect
channel._on_connection_disconnect(self)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/transport/redis.py", line 461, in _on_connection_disconnect
self.connection.cycle._on_connection_disconnect(connection)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/transport/redis.py", line 259, in _on_connection_disconnect
self.poller.unregister(connection._sock)
File "/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/utils/eventio.py", line 85, in unregister
self._epoll.unregister(fd)
SchedulingError: Couldn't apply scheduled task downloader: argument must be an int, or have a fileno() method.
and i'm not getting any clue where from these errors are coming...
any suggestions will be greatly appreciated.
Update 1:
i use django-celery admin interface to schedule a task and task is defined inside an app registered in INSTALLED_APP as follows:
#shared_task
def downloader():
# execute static/shell_scripts/feed_downloader.sh
import subprocess
PROJECT_PATH = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
subprocess.call(PROJECT_PATH+"/static/shell_scripts/feed_downloader.sh", shell=True)
the feed_downloader.sh file calls a django management command which if i execute independetly works fine like:
python manage.py feed_downloader
if i add a print statement just before line no. 85 to check fd parameter in file
/home/vagrant/.virtualenvs/project/local/lib/python2.7/site-packages/kombu/utils/eventio.py
then following messages get printed:
see this <socket._socketobject object at 0x131b750>
see this None
see this <socket._socketobject object at 0x131bc90>
see this None