ERROR - [SSL: NO_SHARED_CIPHER] no shared cipher (help wanted)

[ahshuen]

When using Dell Server as KMIP client and connect to the PuKMIP Server it got below error, any idea to fix it?

2021-03-08 00:19:26,757 - kmip.server.session.00000002 - INFO - Stopping session: 00000002 2021-03-08 00:20:26,524 - kmip.server - INFO - Receiving incoming connection from: 10.77.77.42:39873 2021-03-08 00:20:26,525 - kmip.server - INFO - Dedicating session 00000003 to 10.77.77.42:39873 2021-03-08 00:20:26,525 - kmip.server.session.00000003 - INFO - Starting session: 00000003 2021-03-08 00:20:26,526 - kmip.server.session.00000003 - INFO - Failure running TLS handshake 2021-03-08 00:20:26,526 - kmip.server.session.00000003 - ERROR - [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1123) Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/PyKMIP-0.11.0.dev1-py3.8.egg/kmip/services/server/session.py", line 102, in run self._connection.do_handshake() File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1123) 2021-03-08 00:20:26,527 - kmip.server.session.00000003 - INFO - Stopping session: 00000003 2021-03-08 00:20:26,782 - kmip.server - INFO - Receiving incoming connection from: 10.77.77.41:30992 2021-03-08 00:20:26,782 - kmip.server - INFO - Dedicating session 00000004 to 10.77.77.41:30992 2021-03-08 00:20:26,783 - kmip.server.session.00000004 - INFO - Starting session: 00000004 2021-03-08 00:20:26,784 - kmip.server.session.00000004 - INFO - Failure running TLS handshake 2021-03-08 00:20:26,784 - kmip.server.session.00000004 - ERROR - [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1123) Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/PyKMIP-0.11.0.dev1-py3.8.egg/kmip/services/server/session.py", line 102, in run self._connection.do_handshake() File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1123) 2021-03-08 00:20:26,785 - kmip.server.session.00000004 - INFO - Stopping session: 00000004

installed with latest PyKMP server and client settings as below [client] host=10.77.77.188 port=5696 certfile=/etc/ssl/hostA1.crt keyfile=/etc/ssl/hostA1.key ca_certs=/etc/ssl/certs/CA1.crt cert_reqs=CERT_NONE ssl_version=PROTOCOL_SSLv23 do_handshake_on_connect=True suppress_ragged_eofs=True

[DejmalDavid]

Hello, I think, I have similar issue. I wanna try PyKmip server to call from localhost (examples client calls) and getting this error.

Server log: 2021-03-12 00:47:34,511 - kmip.server - INFO - Receiving incoming connection from: 127.0.0.1:53650 2021-03-12 00:47:34,511 - kmip.server - INFO - Dedicating session 00000009 to 127.0.0.1:53650 2021-03-12 00:47:34,511 - kmip.server.session.00000009 - INFO - Starting session: 00000009 2021-03-12 00:47:34,512 - kmip.server.session.00000009 - INFO - Failure running TLS handshake 2021-03-12 00:47:34,512 - kmip.server.session.00000009 - ERROR - [SSL] internal error (_ssl.c:1122) Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/kmip/services/server/session.py", line 102, in run self._connection.do_handshake() File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL] internal error (_ssl.c:1122)

Error from client is very similar. I try a lot of things (every possible setting of client and server, update all packages, ...) with no result. I work on Ubuntu 20.04, python 3.9, openssl 1.1.1.f

I stop after find issue with TLS version describe here https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 I'm not able to fix this. Now i wanna try ubuntu 18.04, with python 3.7. I hope it will work

What OS, python and openSSL do you use for server? Or did you fix this problem already?

[DejmalDavid]

I fix it. Problem is in security lvl in openssl under ubuntu. (Ubuntu 20.04, python 3.9, openssl 1.1.1.f) https://bugs.python.org/issue41561

To fix it befere comes all pathes, do this: To default file openssl.cnf (for me in /etc/ssl/openssl.conf) add lines at beginig " openssl_conf = default_conf " and add at end of file " [ default_conf ]

ssl_conf = ssl_sect

[ssl_sect]

system_default = system_default_sect

[system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT:@SECLEVEL=0 " (https://askubuntu.com/questions/1233186/ubuntu-20-04-how-to-set-lower-ssl-security-level)

then reboot and in client conf file use "ssl_version=PROTOCOL_TLS"

[ahshuen]

i use Ubuntu 20.04 LTS, Python 3.8.5 (default installed one) with latest PyKMIP version git from GitHub, and i have edited exactly what you describe.. looks still the same result.

2021-03-22 09:00:00,800 - kmip.server.session.00000001 - INFO - Starting session: 00000001 2021-03-22 09:00:00,801 - kmip.server.session.00000001 - INFO - Failure running TLS handshake 2021-03-22 09:00:00,802 - kmip.server.session.00000001 - ERROR - [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1123) Traceback (most recent call last): File "/usr/local/lib/python3.8/dist-packages/PyKMIP-0.11.0.dev1-py3.8.egg/kmip/services/server/session.py", line 102, in run self._connection.do_handshake() File "/usr/lib/python3.8/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1123) 2021-03-22 09:00:00,806 - kmip.server.session.00000001 - INFO - Stopping session: 00000001

[stiva3]

Debian version 11.5 python3 -V -> Python 3.9.2 python -V -> Python 2.7.18

/etc/ssl/openssl.cnf `[default_conf] ssl_conf = ssl_sect

[ssl_sect] system_default = system_default_sect

[system_default_sect] MinProtocol = None CipherString = DEFAULT@SECLEVEL=0`

cat /etc/pykmip/server.conf `[server] hostname=0.0.0.0 port=5696

certificate_path=/etc/ssl/certs/xyz.hr_cert.pem key_path=/etc/ssl/private/xyz_hr.key ca_path=/etc/ssl/certs/xyz_hr_interm.cer

auth_suite=Basic enable_tls_client_auth=True tls_cipher_suites= TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 logging_level=DEBUG database_path=/tmp/pykmip.db`

cat /var/log/pykmip/server.log 2022-10-11 13:56:18,531 - kmip.server.session.00000003 - INFO - Starting session: 00000003 2022-10-11 13:56:18,531 - kmip.server.session.00000003 - INFO - Failure running TLS handshake 2022-10-11 13:56:18,532 - kmip.server.session.00000003 - ERROR - [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1123) Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/kmip/services/server/session.py", line 102, in run self._connection.do_handshake() File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1123) 2022-10-11 13:56:18,532 - kmip.server.session.00000003 - INFO - Stopping session: 00000003

Clinet side -> chipers offered from wireshark: Cipher Suite: TLS_AES_256_GCM_SHA384 (0x1302) Cipher Suite: TLS_CHACHA20_POLY1305_SHA256 (0x1303) Cipher Suite: TLS_AES_128_GCM_SHA256 (0x1301) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) Cipher Suite: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9) Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023) Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e) Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b) Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067) Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

[swervin1]

Hello:

Has anyone been able to get pykmip working with DELL SEKM?