search

OpenKMIP / PyKMIP

A Python implementation of the KMIP specification.
Apache License 2.0
272 stars 134 forks source link

kmip.server.session.00000002 - ERROR - [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:877) while attempting to connect to pykmip #662

Open alaksh22 opened 2 years ago

alaksh22 commented 2 years ago

I am getting the below error while attempting to connect to pykmip server from our client

2022-02-25 12:05:48,794 - kmip.server - INFO - Receiving incoming connection from: 172.18.126.34:54848 2022-02-25 12:05:48,796 - kmip.server - INFO - Dedicating session 00000002 to 172.18.126.34:54848 2022-02-25 12:05:48,797 - kmip.server.session.00000002 - INFO - Starting session: 00000002 2022-02-25 12:05:48,798 - kmip.server.session.00000002 - INFO - Failure running TLS handshake 2022-02-25 12:05:48,798 - kmip.server.session.00000002 - ERROR - [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:877) Traceback (most recent call last): File "/usr/local/lib/python3.6/site-packages/PyKMIP-0.11.0.dev1-py3.6.egg/kmip/services/server/session.py", line 102, in run self._connection.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 1036, in do_handshake self._sslobj.do_handshake() File "/usr/lib64/python3.6/ssl.py", line 648, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:877) 2022-02-25 12:05:48,799 - kmip.server.session.00000002 - INFO - Stopping session: 00000002

Below is the server.conf file [server] database_path=/etc/pykmip/pykmip.database hostname=127.0.0.1 port=5696 certificate_path=/etc/pykmip/server_certificate.pem key_path=/etc/pykmip/server_key.pem ca_path=/etc/pykmip/root_certificate.pem auth_suite=TLS1.2 policy_path=/root/pykmip/examples/ enable_tls_client_auth=False tls_cipher_suites=TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 logging_level=DEBUG I confirmed that the cipher suites in server.conf is supported by our client as well. I am using the certificates created using bin/create_certificates.py script.

I am looking for help troubleshooting the "no shared cipher" error.

beergeek commented 1 year ago

I am having this exact issue with a Go client, but not with a Python 3.7.16 client.

I have configured the server.conf with the following, which is from the Go client:

tls_cipher_suites=
  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_AES_256_CBC_SHA
  TLS_CHACHA20_POLY1305_SHA256
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  TLS_RSA_WITH_AES_128_CBC_SHA
  TLS_RSA_WITH_AES_128_GCM_SHA256
  TLS_RSA_WITH_AES_256_CBC_SHA
  TLS_RSA_WITH_AES_256_GCM_SHA384

All 17 appear in the PyKMIP log:

2023-02-06 06:05:27,396 - kmip.server - DEBUG - TLS_AES_256_GCM_SHA384
2023-02-06 06:05:27,396 - kmip.server - DEBUG - TLS_RSA_WITH_AES_128_GCM_SHA256
2023-02-06 06:05:27,396 - kmip.server - DEBUG - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2023-02-06 06:05:27,396 - kmip.server - DEBUG - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2023-02-06 06:05:27,396 - kmip.server - DEBUG - TLS_AES_128_GCM_SHA256
2023-02-06 06:05:27,396 - kmip.server - DEBUG - TLS_CHACHA20_POLY1305_SHA256
2023-02-06 06:05:27,396 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
2023-02-06 06:05:27,396 - kmip.server - DEBUG - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
2023-02-06 06:05:27,397 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
2023-02-06 06:05:27,397 - kmip.server - DEBUG - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
2023-02-06 06:05:27,397 - kmip.server - DEBUG - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
2023-02-06 06:05:27,397 - kmip.server - DEBUG - TLS_RSA_WITH_AES_128_CBC_SHA
2023-02-06 06:05:27,397 - kmip.server - DEBUG - TLS_RSA_WITH_AES_256_GCM_SHA384
2023-02-06 06:05:27,397 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
2023-02-06 06:05:27,398 - kmip.server - DEBUG - TLS_RSA_WITH_AES_256_CBC_SHA
2023-02-06 06:05:27,398 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
2023-02-06 06:05:27,398 - kmip.server - DEBUG - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

But I get a similar error:

2023-02-06 06:05:32,045 - kmip.server.session.00000001 - INFO - Starting session: 00000001
2023-02-06 06:05:32,045 - kmip.server.session.00000001 - INFO - Failure running TLS handshake
2023-02-06 06:05:32,045 - kmip.server.session.00000001 - ERROR - [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1091)
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/kmip/services/server/session.py", line 102, in run
    self._connection.do_handshake()
  File "/usr/lib64/python3.7/ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_SHARED_CIPHER] no shared cipher (_ssl.c:1091)
2023-02-06 06:05:32,046 - kmip.server.session.00000001 - INFO - Stopping session: 00000001