Closed KBassford closed 4 years ago
PeterHamilton
commented
4 years ago Hi @KBassford, thanks for filing this. Certificate issues are always interesting to dig into. I'll look into my notes on the PEM lib exception you're getting from Python ssl; I've had to debug that type of error before. Your PyKMIP server log looks fine, as do the ciphers, and your certificates. I'll try to replicate this on my end and will let you know what I find.
KBassford
commented
4 years ago Played around with the server.conf settings. It's pretty intolerant about what can be featured in the settings.
FYI: I'm using Python3 3.7.3-1
PeterHamilton
commented
4 years ago Hi @KBassford, thanks for following up.
This is expected behavior. As per the server configuration documentation, the config_path setting should only ever be set using the KmipServer Python constructor, since it specifies the path to the configuration file; setting it inside the configuration file makes no sense and should never be done. This also applies to the log_path setting. If you do include these settings in the server configuration file, you should see an error message like this:
Setting 'XYZ' is not a supported setting. Please remove it from the configuration file.The policy_path setting should specify the path to the directory containing server policy files; it should not be a path to specific policy file. This is also clearly specified in the server configuration documentation.
KBassford
commented
4 years ago Mmmm... last server I build did contain the filename in "policy_path". I'm still pounding away at the problem, but have made no headway.
KBassford
commented
4 years ago I've changed a little bit around and added python3-openssl. Changed a little bit, but the problem is still the same...
root@kmipserver:~# /usr/local/bin/pykmip/launch_server.py
Traceback (most recent call last):
File "/usr/local/bin/pykmip/launch_server.py", line 27, in <module>
server.main()
File "/usr/local/lib/python3.7/dist-packages/kmip/services/server/server.py", line 673, in main
with s:
File "/usr/local/lib/python3.7/dist-packages/kmip/services/server/server.py", line 476, in __enter__
self.start()
File "/usr/local/lib/python3.7/dist-packages/kmip/services/server/server.py", line 300, in start
ciphers=self.auth_suite.ciphers
File "/usr/lib/python3.7/ssl.py", line 1216, in wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3845)
Process PolicyDirectoryMonitor-2:
Traceback (most recent call last):
File "/usr/lib/python3.7/multiprocessing/process.py", line 297, in _bootstrap
self.run()
File "/usr/local/lib/python3.7/dist-packages/kmip/services/server/monitor.py", line 145, in run
self.scan_policies()
File "/usr/local/lib/python3.7/dist-packages/kmip/services/server/monitor.py", line 114, in scan_policies
if p in sorted(self.policy_store.keys()):
File "<string>", line 2, in keys
File "/usr/lib/python3.7/multiprocessing/managers.py", line 795, in _callmethod
conn.send((self._id, methodname, args, kwds))
File "/usr/lib/python3.7/multiprocessing/connection.py", line 206, in send
self._send_bytes(_ForkingPickler.dumps(obj))
File "/usr/lib/python3.7/multiprocessing/connection.py", line 404, in _send_bytes
self._send(header + buf)
File "/usr/lib/python3.7/multiprocessing/connection.py", line 368, in _send
n = write(self._handle, buf)
BrokenPipeError: [Errno 32] Broken pipe
root@kmipserver:~# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 14:25 ? 00:00:00 tail -f /dev/null
root 26 1 0 14:25 ? 00:00:00 /usr/sbin/sshd
message+ 42 1 0 14:25 ? 00:00:00 /usr/bin/dbus-daemon --system
root 43 26 0 14:25 ? 00:00:00 sshd: root@pts/0
root 49 43 0 14:26 pts/0 00:00:00 -bash
root 67 49 0 14:28 pts/0 00:00:00 ps -ef
root@kmipserver:~# cat /var/log/pykmip/server.log
2020-09-08 14:28:08,646 - kmip.server.config - INFO - Loading server configuration settings from: /etc/pykmip/server.conf
2020-09-08 14:28:08,663 - kmip.server.monitor - INFO - Starting up the operation policy file monitor.
2020-09-08 14:28:08,757 - kmip.server - INFO - Starting server socket handler.
2020-09-08 14:28:08,758 - kmip.server - DEBUG - Configured cipher suites: 13
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_DH_RSA_WITH_AES_256_CBC_SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_RSA_WITH_AES_128_CBC_SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_RSA_WITH_AES_256_CBC_SHA
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_DH_RSA_WITH_AES_128_CBC_SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_RSA_WITH_AES_256_CBC_SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_RSA_WITH_AES_256_GCM_SHA384
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
2020-09-08 14:28:08,758 - kmip.server - DEBUG - Authentication suite ciphers to use: 10
2020-09-08 14:28:08,758 - kmip.server - DEBUG - AES256-SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - ECDHE-ECDSA-AES128-GCM-SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - DHE-RSA-AES128-SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - AES128-SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - ECDHE-ECDSA-AES256-GCM-SHA384
2020-09-08 14:28:08,758 - kmip.server - DEBUG - DH-RSA-AES256-SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - ECDHE-ECDSA-AES256-SHA384
2020-09-08 14:28:08,758 - kmip.server - DEBUG - DH-RSA-AES128-SHA256
2020-09-08 14:28:08,758 - kmip.server - DEBUG - ECDHE-RSA-AES256-SHA384
2020-09-08 14:28:08,758 - kmip.server - DEBUG - DHE-RSA-AES256-SHA256
2020-09-08 14:28:09,664 - kmip.server.monitor - INFO - Loading policies for file: /etc/pykmip/policy.json
2020-09-08 14:28:09,665 - kmip.server.monitor - INFO - Loading policy: standard
Well it seems something is wrong with the certs. I just regenerated them, the only difference being that I had the python3-openssl module loaded this time, and it works. OUCH! Going to try to export them and reload.
KBassford
commented
4 years ago Works now. python(3)-openssl module is a prerequisite.
KBassford
commented
4 years ago Using certs generated on Server (still up and running). Getting exact same error on client now. This has to be some configuration I'm not picking up on.
PeterHamilton
commented
4 years ago Hi @KBassford, I spent some time yesterday and today doing a fresh PyKMIP server/client install on an Ubuntu 20.04 VM using Python 3.8 (the default system Python) in a separate Python virtual environment. Following just the install and configuration directions in the PyKMIP documentation and using the example configuration files shown in the docs, I was able to get a working system up-and-running using the certificates generated by the create_certificates.py script. I did not have to manually installed python(3)-openssl, it looks like that came preinstalled (or was installed during a standard apt update && apt upgrade on the fresh VM).
The only gotcha is that you have to use TLS 1.2 in the client and server configuration files (i.e., PROTOCOL_TLSv1_2 in pykmip.conf, TLS1.2 in server.conf), as discussed in #631. Older TLS/SSL versions are now unsupported and may be official deprecated and blocked (I haven't dug into that too deeply).
I haven't been able to replicate the PEM lib error that you're seeing. The error that I saw (before switching to TLS 1.2) was a generic internal error thrown by Python ssl.
What OS are you working on? Are you still using Python 3.7? I can try and replicate your environment on my end to see if I can trigger the same behavior.
KBassford
commented
4 years ago Was python3-openssl automatically installed? I'm using Devuan (Beowulf) running in Docker this time around. Python 3.7.3 (latest native to Beowulf). I had my client set to ssl_version=PROTOCOL_SSLv23. Rebuilt with ssl_version=PROTOCOL_TLSv1_2, no effect.
KBassford
commented
4 years ago Client error ...
root@kmipclient:/etc/pykmip# ./eval_client.py
could not open client connection: [SSL] PEM lib (_ssl.c:3845)
Traceback (most recent call last):
File "./eval_client.py", line 65, in <module>
count = get_count()
File "./eval_client.py", line 50, in get_count
with c:
File "/usr/local/lib/python3.7/dist-packages/kmip/pie/client.py", line 1745, in __enter__
self.open()
File "/usr/local/lib/python3.7/dist-packages/kmip/pie/client.py", line 173, in open
self.proxy.open()
File "/usr/local/lib/python3.7/dist-packages/kmip/services/kmip_client.py", line 271, in open
self._create_socket(sock)
File "/usr/local/lib/python3.7/dist-packages/kmip/services/kmip_client.py", line 296, in _create_socket
suppress_ragged_eofs=self.suppress_ragged_eofs)
File "/usr/lib/python3.7/ssl.py", line 1216, in wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3845)
Was python3-openssl automatically installed?
I believe so. I can reset the VM before any system updates to determine where/when exactly it gets installed.
I'm using Devuan (Beowulf) running in Docker this time around. Python 3.7.3 (latest native to Beowulf). I had my client set to
ssl_version=PROTOCOL_SSLv23. Rebuilt withssl_version=PROTOCOL_TLSv1_2, no effect.
Do you know which base Docker image you're using for Devuan? Is it available from Docker Hub? I don't have experience using Devuan specifically but standing up the container and seeing what comes with it by default could be useful for triaging this issue.
KBassford
commented
4 years ago My KMIP client Dockerfile ...
#
# Base Devuan load for KMIP Testing.
#
FROM lpenz/devuan-beowulf-amd64
LABEL maintainer="kbassford@apertussolutions.com"
# Client customization - Set up mountpoints.
# Configuration and certs mountpoint
RUN mkdir -p /etc/kmip
# Note: Named volumes must be created seperately.
# Example: "docker volume create kmipserverconfig" # to create
# "docker run -v kmipserverconfig:/etc/pykmip -v kmipdatastore:/srv/kmip -it 507128151f19" # to use
# Get list of modules
RUN apt update
# Add this argument so the install knows it's not interactive!
ARG DEBIAN_FRONTEND=noninteractive
# Install additional modules.
RUN apt-get install -y apt-utils python3 python3-pip wget
RUN apt-get install -y whois openssl python3-openssl
RUN apt-mark hold iptables && \
apt-get install -y --no-install-recommends \
xorg \
xinit \
dbus-x11 \
xserver-xorg-input-mouse \
psmisc \
xdg-utils \
xserver-xorg-video-vesa \
x11-xserver-utils \
x11-utils && \
apt-get install -y --no-install-recommends \
xorg \
xinit \
dbus-x11 \
xserver-xorg-input-mouse \
psmisc \
xdg-utils \
xserver-xorg-video-vesa \
x11-xserver-utils \
x11-utils && \
apt-get install -y --no-install-recommends \
mlocate \
git \
openssh-server \
python3-cairo-dev \
python3-cairocffi
# ssh \
# ssh-tools \
# ssh-askpass \
# libssh2-1 \
# keychain \
# libshiboken-py3-1.2v5 && \
# apt-get install -y --no-install-recommends \
# python3-crypto-dbg \
# python3-ecdsa
# sed -i 's%<property name="ThemeName" type="string" value="Xfce"/>%<property name="ThemeName" type="string" value="Raleigh"/>%' /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xsettings.xml
RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 1
RUN update-alternatives --install /usr/bin/pip pip /usr/bin/pip3 1
RUN pip3 install psutil PyKMIP
RUN echo 'Changing root password.'
RUN echo "root:thx-1138"|chpasswd
RUN echo 'Adding user gkbassf'
RUN useradd gkbassf --shell /bin/bash --create-home
RUN echo "gkbassf:password"|chpasswd
# Configure SSH
RUN sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
# Copy initialization.
ADD container_startup.bash /root/
ADD filestore.tgz /root/
ADD *.crt *key /root/
# Open ports
EXPOSE 22
EXPOSE 422
WORKDIR /root
NOTE: Since I'm using docker-compose to run everything, the settings stick, even in the non-mountpoints. Added "cairo" dependencies.
PeterHamilton
commented
4 years ago Hi @KBassford, thanks for the updates. At this point it looks like this is likely a configuration problem for your specific setup and not a problem with PyKMIP, given that I was able to stand up the client/server on Ubuntu 20.04 with no real issues. To further debug your setup, I would likely start using docker exec to hop into your running Devuan container to determine if all of the TLS-related resources are available inside the container and are properly accessible by Python 3.7.3.
For now I'm going to have to pivot and focus on other work. However, I'm happy to leave this issue open for you to post updates and to ask further questions. If something comes up that I can give insight on, I'm happy to do so.
KBassford
commented
4 years ago Created another client using Ubuntu 20.04. Other than the fact that it uses Python 3.8, it too is throwing the exact same error.
PeterHamilton
commented
4 years ago And python(3)-openssl is installed? Are you using TLS 1.2 in the client and server configuration?
KBassford
commented
4 years ago Yes and Yes.
KBassford
commented
4 years ago I even told docker-compose to expose ports 1000-65535
PeterHamilton
commented
4 years ago And you can verify that the right Python and OpenSSL dependencies are available inside the container? Not just on the host?
KBassford
commented
4 years ago Still rebuilding ATM, but yes, I can send you the Dockerfiles for all three VM's as well as my docker-compose.yml if that will help.
PeterHamilton
commented
4 years ago Sure, I can quickly look through them, but I won't be able to do a deep dive anytime soon.
KBassford
commented
4 years ago Here's the entire docker environment for you ... docker.gz (actually another tgz.)
Install docker and docker-compose on your system. Extract file to your work location (tar xvfz docker.gz). cd into "docker" directory and run the following 4 commands. run ./docker-cleanup.bash (only needed if you are rebuilding) run ./update-docker-build-files.bash (required) build: "docker-compose build" run: "docker-compose up"
You can ssh into any container you like as root, using "ROOT@1" as the password: KMIP server:172.20.0.2; clientA:172.20.0.3; clientB (Ubuntu):172.20.0.4 The server should come up running, the clients have a sample transaction script under /etc/pykmip (./eval_client.py) that should access the server, getting a simple count of number of keys stored there.
KBassford
commented
4 years ago Looking through the code, and the behavior of the server, it would appear that SSLv23 has been removed from OpenSSL. Only setting "auth_suite=TLS1.2" works for the server.
Looking at the code for the clients, I do not see where the client implements PROTOCOL_TLS1.2 (using the 'ssl_version' parameter in the 'ProxyKmipClient' method directly). As a matter of fact, nothing I've tied to set 'ssl_version' to has worked. Indeed I see several variations appear in the code ("PROTOCOL_TLS", "PROTOCOL_TLSv1", "PROTOCOL_TLSv1_2", all of these also appear in ssl.py) in various places. Are you certain this setting works in a client?
PeterHamilton
commented
4 years ago Yes. I tested this myself two weeks ago and it gets tested frequently in our end-to-end CI system (in fact I need to go in and fix the testing on older platforms because SSLv23 is deprecated).
Set ssl_version to PROTOCOL_TLSv1_2 in pykmip.conf.
The ProxyKmipClient wraps the original KMIPProxy client and passes the ssl_version setting through. This setting is used in the call to ssl.wrap_socket in _create_socket, used in the client here: https://github.com/OpenKMIP/PyKMIP/blob/645cbf2ae931b03b8f5ebe2458683da1b2276794/kmip/services/kmip_client.py#L293
This gets set up when you call open on the client.
KBassford
commented
4 years ago Again this is the exact result on both Devuan and Ubuntu clients with that setting ...
Devuan GNU/Linux 3 (beowulf) ...
root@kmipclienta:/etc/pykmip# ./eval_client.py
could not open client connection: [SSL] PEM lib (_ssl.c:3845)
Traceback (most recent call last):
File "./eval_client.py", line 70, in
root@kmipclienta:/etc/pykmip# cat pykmip.conf
# KMIP Client config (/etc/pykmip/pykmip.conf)
[client]
host=172.20.0.2
port=5696
certfile=/etc/pykmip/certs/client_certificate_jane_doe.pem
key_path=/etc/pykmip/certs/client_key_jane_doe.pem
ca_path=/etc/pykmip/certs/root_certificate.pem
cert_reqs=CERT_REQUIRED
ssl_version=PROTOCOL_TLSv1_2
do_handshake_on_connect=True
suppress_ragged_eofs=True
#username=example_username
#password=example_passwordUbuntu 20.04.1 LTS ...
root@kmipclientb:/etc/pykmip# ./eval_client.py
could not open client connection: [SSL] PEM lib (_ssl.c:4012)
Traceback (most recent call last):
File "./eval_client.py", line 70, in
Original exception was:
Traceback (most recent call last):
File "./eval_client.py", line 70, in
root@kmipclientb:/etc/pykmip# cat pykmip.conf
# KMIP Client config (/etc/pykmip/pykmip.conf)
[client]
host=172.20.0.2
port=5696
certfile=/etc/pykmip/certs/client_certificate_jane_doe.pem
key_path=/etc/pykmip/certs/client_key_jane_doe.pem
ca_path=/etc/pykmip/certs/root_certificate.pem
cert_reqs=CERT_REQUIRED
ssl_version=PROTOCOL_TLSv1_2
do_handshake_on_connect=True
suppress_ragged_eofs=True
#username=example_username
#password=example_passwordThe call generating all these problems ...
def get_count():
# Retrieve object count from KMIP server.
c = client.ProxyKmipClient(config_file="/etc/pykmip/pykmip.conf", kmip_version=enums.KMIPVersion.KMIP_2_0)
with c:
listall = c.locate()
elmcount = len(listall)
return elmcountPeter, take a closer look at the pykmip.conf files I included above. Something MUST be wrong.
I just replaced the c = ... line in the code above with ...
c = client.ProxyKmipClient(hostname='172.20.0.2', port=5696, cert="/etc/pykmip/certs/client_certificate_john_doe.pem",
key="/etc/pykmip/certs/client_key_john_doe.pem", ca="/etc/pykmip/certs/root_certificate.pem",
ssl_version="PROTOCOL_TLSv1_2", kmip_version=enums.KMIPVersion.KMIP_2_0)This works!
PeterHamilton
commented
4 years ago You have the wrong settings in the pykmip.conf file for the key file and the CA file. You have key_path and ca_path. Those should be keyfile and ca_certs. You likely copied those from the server.conf file.
Just to be sure, I tested the latest version of PyKMIP again. I tested the kmip/demos/pie/create.py script (which uses the ProxyKmipClient) against the PyKMIP server. Both the client and server are running TLS 1.2 using only the configuration files for settings.
Here are my configuration files:
$ cat /etc/pykmip/pykmip.conf
[john_doe]
host=127.0.0.1
port=5696
certfile=/etc/pykmip/certs/client_certificate_john_doe.pem
keyfile=/etc/pykmip/certs/client_key_john_doe.pem
ca_certs=/etc/pykmip/certs/root_certificate.pem
cert_reqs=CERT_REQUIRED
ssl_version=PROTOCOL_TLSv1_2
do_handshake_on_connect=True
suppress_ragged_eofs=True
username=
password=$ cat /etc/pykmip/server.conf
[server]
hostname=127.0.0.1
port=5696
certificate_path=/etc/pykmip/certs/server_certificate.pem
key_path=/etc/pykmip/certs/server_key.pem
ca_path=/etc/pykmip/certs/root_certificate.pem
auth_suite=TLS1.2
policy_path=/etc/pykmip/policies
enable_tls_client_auth=True
tls_cipher_suites=
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
AES128-SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
AES256-SHA256
logging_level=DEBUG
database_path=/tmp/pykmip.dbHere's my command to start the server:
$ sudo bin/pykmip-serverHere's my command running the demo script:
$ python create.py -c john_doe -a AES -l 256
2020-09-25 16:12:04,749 - demo - INFO - Successfully created symmetric key with ID: 1Here's the server log for server startup and running the create.py demo:
2020-09-25 16:11:58,971 - kmip.server.config - INFO - Loading server configuration settings from: /etc/pykmip/server.conf
2020-09-25 16:11:58,999 - kmip.server.monitor - INFO - Starting up the operation policy file monitor.
2020-09-25 16:11:59,066 - kmip.server - INFO - Starting server socket handler.
2020-09-25 16:11:59,067 - kmip.server - DEBUG - Configured cipher suites: 4
2020-09-25 16:11:59,067 - kmip.server - DEBUG - AES128-SHA256
2020-09-25 16:11:59,067 - kmip.server - DEBUG - AES256-SHA256
2020-09-25 16:11:59,067 - kmip.server - DEBUG - TLS_RSA_WITH_AES_256_CBC_SHA256
2020-09-25 16:11:59,067 - kmip.server - DEBUG - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
2020-09-25 16:11:59,067 - kmip.server - DEBUG - Authentication suite ciphers to use: 3
2020-09-25 16:11:59,067 - kmip.server - DEBUG - AES128-SHA256
2020-09-25 16:11:59,068 - kmip.server - DEBUG - ECDH-ECDSA-AES128-SHA256
2020-09-25 16:11:59,068 - kmip.server - DEBUG - AES256-SHA256
2020-09-25 16:11:59,070 - kmip.server - INFO - Server successfully bound socket handler to 127.0.0.1:5696
2020-09-25 16:11:59,070 - kmip.server - INFO - Starting connection service...
2020-09-25 16:12:04,636 - kmip.server - INFO - Receiving incoming connection from: 127.0.0.1:55288
2020-09-25 16:12:04,636 - kmip.server - INFO - Dedicating session 00000001 to 127.0.0.1:55288
2020-09-25 16:12:04,636 - kmip.server.session.00000001 - INFO - Starting session: 00000001
2020-09-25 16:12:04,644 - kmip.server.session.00000001 - DEBUG - Request encoding: b'4200780100000158'
2020-09-25 16:12:04,645 - kmip.server.session.00000001 - DEBUG - Request encoding: b'4200770100000070420069010000002042006a0200000004000000010000000042006b0200000004000000020000000042000c0100000030420023010000002842002405000000040000000100000000420025010000001042009907000000004200a1070000000042000d0200000004000000010000000042000f01000000d842005c0500000004000000010000000042007901000000c04200570500000004000000020000000042009101000000a8420008010000003042000a070000001743727970746f6772617068696320416c676f726974686d0042000b05000000040000000300000000420008010000003042000a070000001443727970746f67726170686963204c656e6774680000000042000b02000000040000010000000000420008010000003042000a070000001843727970746f67726170686963205573616765204d61736b42000b02000000040000000c00000000'
2020-09-25 16:12:04,645 - kmip.server.session.00000001 - DEBUG - Possible session ciphers: 5
2020-09-25 16:12:04,645 - kmip.server.session.00000001 - DEBUG - ('TLS_AES_256_GCM_SHA384', 'TLSv1.3', 256)
2020-09-25 16:12:04,645 - kmip.server.session.00000001 - DEBUG - ('TLS_CHACHA20_POLY1305_SHA256', 'TLSv1.3', 256)
2020-09-25 16:12:04,645 - kmip.server.session.00000001 - DEBUG - ('TLS_AES_128_GCM_SHA256', 'TLSv1.3', 128)
2020-09-25 16:12:04,645 - kmip.server.session.00000001 - DEBUG - ('AES128-SHA256', 'TLSv1.2', 128)
2020-09-25 16:12:04,645 - kmip.server.session.00000001 - DEBUG - ('AES256-SHA256', 'TLSv1.2', 256)
2020-09-25 16:12:04,645 - kmip.server.session.00000001 - DEBUG - Session cipher selected: ('AES128-SHA256', 'TLSv1.2', 128)
2020-09-25 16:12:04,680 - kmip.server.session.00000001 - DEBUG - No authentication plugins are enabled. The client identity will be extracted from the client certificate.
2020-09-25 16:12:04,681 - kmip.server.session.00000001 - DEBUG - Extraction succeeded for client identity: John Doe
2020-09-25 16:12:04,681 - kmip.server.session.00000001 - INFO - Session client identity: John Doe
2020-09-25 16:12:04,681 - kmip.server.engine - DEBUG - Request specified KMIP version: 1.2
2020-09-25 16:12:04,681 - kmip.server.engine - INFO - Received request at time: 2020-09-25 20:12:04
2020-09-25 16:12:04,682 - kmip.server.engine - INFO - Processing operation: Create
2020-09-25 16:12:04,682 - kmip.server.engine.cryptography - INFO - Generating a AES symmetric key with length: 256
2020-09-25 16:12:04,748 - kmip.server.engine - INFO - Created a SymmetricKey with ID: 1
2020-09-25 16:12:04,749 - kmip.server.session.00000001 - DEBUG - Response encoding: b'42007b01000000a042007a0100000048420069010000002042006a0200000004000000010000000042006b020000000400000002000000004200920900000008000000005f6e4f1442000d0200000004000000010000000042000f010000004842005c0500000004000000010000000042007f0500000004000000000000000042007c01000000204200570500000004000000020000000042009407000000013100000000000000'
2020-09-25 16:12:04,755 - kmip.server.session.00000001 - INFO - Stopping session: 00000001CRAP! Through my too numerous iterations the fields in pykmip.conf got mutated to "..._path". Maybe it would be nice to make the field names the same? Looking forward to the day normal certs can be used. Thanks, closing issue.
Hi Peter,
Once again I'm recreating a KMIP Server, and I'm having some problems this time around. When I try to launch the server I get this ...
... the log ...
Dump of my local certs ...
I'm using Python 3.7 exclusively and the script generated certs. I've double checked the configured paths, all are correct. I also checked the available ciphers (listed below).
Any hints where I've gone wrong?