search

Xpra-org / xpra

Persistent remote applications for X11; screen sharing for X11, MacOS and MSWindows.
https://xpra.org/
GNU General Public License v2.0
1.93k stars 165 forks source link

RuntimeError: OpenSSL 3.0's legacy provider failed to load. #3913

Closed foice closed 1 year ago

foice commented 1 year ago

I am using client 4.4.6 on Mac OS (installed from pkg) and server 4.4.4 on Almalinux installed from dnf with the repo baseurl=https://xpra.org/dists/almalinux/$releasever/$basearch/. I get this error when issuing xpra start ssh:d114 --start=xterm where d114 is an entry in my .ssh/config file with a jump-host.

RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.

I have made sure OpenSSL and not LibreSSL is MacOS PATH and I also modified the open SSL configuration on both server and client to load the legacy provider, as explained here.

Still I get the same error. I see that some recent versions changelog has items related to silencing SSL errors, maybe related?

I have seen this problem also changing my client to 3.1.5 (installed via pkg), but I do not get it if I use client 3.0.8 (of which I have a backup copy from and old install from pkg or dmg, can't remember) Any suggestion to debug/surpass this error?

totaam commented 1 year ago

This error has been fixed in all recent builds, including 4.4.6: 11164643ae02263a1eca88444aa7918d53027628 and 3.1.5: fefe5b48cd3f1b5bd9cd5d0bcd3b287ce2110b24

You haven't specified how you installed xpra or what command line you have used to trigger the problem, which makes it impossible to diagnose. Please see: https://github.com/Xpra-org/xpra/wiki/Reporting-Bugs

foice commented 1 year ago

This error has been fixed in all recent builds, including 4.4.6: 1116464 and 3.1.5: fefe5b4

You haven't specified how you installed xpra or what command line you have used to trigger the problem, which makes it impossible to diagnose. Please see: https://github.com/Xpra-org/xpra/wiki/Reporting-Bugs

Now the original post should be fixed and contain the info you requested. Thanks for your time.

totaam commented 1 year ago

I have made sure OpenSSL and not LibreSSL is MacOS PATH

These changes will be ignored by xpra which uses its own $PATH pointing inside the installed application on MacOS.

and I also modified the open SSL configuration on both server and client to load the legacy provider, as explained here.

Don't do that. Xpra sets CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1.

My guess is that the openssl environment variable is not being applied with xpra start ssh:// URLs. You should be able to start xpra with: CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 xpra start ssh Or by first starting your server instance and then using xpra attach instead.

foice commented 1 year ago

Thanks for chiming in. I managed to haveit to work issuing xpra start :7 and DISPLAY=:7 Mathematica on the server (also tried xterm and firefox, 7 of course can be changed). Then on the client I used 

CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 xpra attach ssh://d114/7

Without the CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 it does not work. Please note I have not changed my openssl.cfg, it still loads legacy stuff, but I'd say this has no impact now, maybe I am wrong, see below.

Unfortunately if I try the one-shot command from the client CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 xpra start ssh:d114 --start=xterm there is a new error

2023-07-05 10:56:04,573  SSH: 'Actual display used: :0'
2023-07-05 10:56:04,573  SSH: "Actual log file name is now: '/run/user/1000/xpra/0/server.log'"
2023-07-05 10:56:07,856 Warning: received cipher block,
2023-07-05 10:56:07,856  but we don't have a cipher to decrypt it with,
2023-07-05 10:56:07,856  not an xpra client?
2023-07-05 10:56:07,856 Error: failed to connect
2023-07-05 10:56:07,856  received uninterpretable nonsense: invalid encryption packet flag (no cipher configured): 0x50e33f0000000000
2023-07-05 10:56:07,856  b'P\xe3?\x00\x00\x00\x00\x00' (8 bytes)
2023-07-05 10:56:07,857  data: 'Pã?\x00\x00\x00\x00\x00'
2023-07-05 10:56:07,862 SSH EOF on stderr of run-xpra
2023-07-05 10:56:07,873 removing unix domain socket '/Users/roberto/.xpra/clients/RobertoBP132021.lan-26264'

Any chance that I can get the one-shot command to work from the server if I revert to not have openssl to load legacy providers?

totaam commented 1 year ago

to work issuing xpra start :7 and DISPLAY=:7 Mathematica

Don't do that. Use this instead: xpra start :7 --start=Mathematica

CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 xpra start ssh:d114 --start=xterm there is a new error (..) b'P\xe3?\x00\x00\x00\x00\x00' (8 bytes)

Odd. This looks like a zero-length encrypted packet.

BTW, as per my examples, ssh:d114 is deprecated. Use ssh://d114/

Perhaps the problem comes from using the automatic display :0, try specifying another one: ssh://HOST/DISPLAY. ie: ssh://d111/7

foice commented 1 year ago

Finally had time to try out. The one-shot command from the client seems not to work no matter the variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY is set or not. 

xpra start ssh://d114/9 --start=xterm
grep: /usr/share/locale/locale.alias: No such file or directory
xpra main error:
Traceback (most recent call last):
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 156, in main
    return run_mode(script_file, cmdline, err, options, args, mode, defaults)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 465, in run_mode
    return do_run_mode(script_file, cmdline, error_cb, options, args, mode, defaults)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 476, in do_run_mode
    return run_remote_server(script_file, cmdline, error_cb, options, args, mode, defaults)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/main.py", line 1917, in run_remote_server
    params = parse_display_name(error_cb, opts, display_name, cmdline)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/parsing.py", line 482, in parse_display_name
    ssh = parse_ssh_option(opts.ssh)
  File "/Applications/Xpra.app/Contents/Resources/lib/python/xpra/scripts/parsing.py", line 661, in parse_ssh_option
    import paramiko
  File "/Applications/Xpra.app/Contents/Resources/lib/python/paramiko/__init__.py", line 22, in <module>
    from paramiko.transport import (
  File "/Applications/Xpra.app/Contents/Resources/lib/python/paramiko/transport.py", line 137, in <module>
    class Transport(threading.Thread, ClosingContextManager):
  File "/Applications/Xpra.app/Contents/Resources/lib/python/paramiko/transport.py", line 211, in Transport
    if KexCurve25519.is_available():
  File "/Applications/Xpra.app/Contents/Resources/lib/python/paramiko/kex_curve25519.py", line 30, in is_available
    X25519PrivateKey.generate()
  File "cryptography/hazmat/primitives/asymmetric/x25519.pyc", line 59, in generate
  File "cryptography/hazmat/backends/openssl/__init__.pyc", line 7, in <module>
  File "cryptography/hazmat/backends/openssl/backend.pyc", line 27, in <module>
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 167, in <module>
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 134, in init_static_locks
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 123, in _ensure_ffi_initialized
  File "cryptography/hazmat/bindings/openssl/binding.pyc", line 43, in _legacy_provider_error
RuntimeError: OpenSSL 3.0's legacy provider failed to load. This is a fatal error by default, but cryptography supports running without legacy algorithms by setting the environment variable CRYPTOGRAPHY_OPENSSL_NO_LEGACY. If you did not expect this error, you have likely made a mistake with your OpenSSL configuration.
CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 xpra start ssh://d114/9 --start=xterm
grep: /usr/share/locale/locale.alias: No such file or directory

(Xpra:41782): Gtk-CRITICAL **: 20:49:56.128: gtk_window_add_accel_group: assertion 'GTK_IS_WINDOW (window)' failed
2023-07-10 20:49:56,204 Xpra GTK3 client version 4.4.6-r29 64-bit
2023-07-10 20:49:56,244  running on Mac OS X 10.16
grep: /usr/share/locale/locale.alias: No such file or directory
grep: /usr/share/locale/locale.alias: No such file or directory
2023-07-10 20:50:00,287 GStreamer version 1.22.3
2023-07-10 20:50:00,312 created unix domain socket '/Users/roberto/.xpra/clients/DGTELA-033.personale.local-41782'
2023-07-10 20:50:01,062 Warning: vendor 'Intel Inc.' is greylisted,
2023-07-10 20:50:01,062  you may want to turn off OpenGL if you encounter bugs
2023-07-10 20:50:01,189 OpenGL enabled on 'Intel(R) Iris(TM) Plus Graphics OpenGL Engine'
2023-07-10 20:50:02,769 Connected (version 2.0, client OpenSSH_8.7)
2023-07-10 20:50:03,213 Authentication (publickey) failed.
2023-07-10 20:50:03,674 Authentication (publickey) successful!
2023-07-10 20:50:06,151 ssh server OS is 'linux-gnu'

(Xpra:41782): Gtk-CRITICAL **: 20:50:07.429: gtk_window_add_accel_group: assertion 'GTK_IS_WINDOW (window)' failed
2023-07-10 20:50:07,462  keyboard settings: layout=us
2023-07-10 20:50:07,470  desktop size is 1440x900:
2023-07-10 20:50:07,470   robertos-macbook-pro132021.local (381x238 mm - DPI: 96x96) workarea: 1395x875  at   45x25
2023-07-10 20:50:07,470     monitor 1        (285x179 mm - DPI: 128x128)
2023-07-10 20:50:07,477  SSH: ' * keychain 2.8.5 ~ http://www.funtoo.org'
2023-07-10 20:50:07,719  SSH: ' * Found existing ssh-agent: 27607'
2023-07-10 20:50:07,719  SSH: ' * Known ssh key: /home/roberto/.ssh/id_ed25519_SF'
2023-07-10 20:50:07,907  SSH: 'WARNING: low display number: 9'
2023-07-10 20:50:07,907  SSH: ' You are attempting to run the xpra server'
2023-07-10 20:50:07,907  SSH: " against a low X11 display number: ':9'"
2023-07-10 20:50:07,907  SSH: ' This is generally not what you want.'
2023-07-10 20:50:07,907  SSH: ' You should probably use a higher display number'
2023-07-10 20:50:07,908  SSH: ' just to avoid any confusion and this warning message.'
2023-07-10 20:50:08,502  SSH: 'Entering daemon mode; any further errors will be reported to:'
2023-07-10 20:50:08,503  SSH: "  '/run/user/1000/xpra/9/server.log'"
2023-07-10 20:50:15,582 Warning: received cipher block,
2023-07-10 20:50:15,582  but we don't have a cipher to decrypt it with,
2023-07-10 20:50:15,582  not an xpra client?
2023-07-10 20:50:15,584 Error: failed to connect
2023-07-10 20:50:15,584  received uninterpretable nonsense: invalid encryption packet flag (no cipher configured): 0x50e33f0000000000
2023-07-10 20:50:15,585  b'P\xe3?\x00\x00\x00\x00\x00' (8 bytes)
2023-07-10 20:50:15,585  data: 'Pã?\x00\x00\x00\x00\x00'
2023-07-10 20:50:15,595 SSH EOF on stderr of run-xpra
2023-07-10 20:50:15,605 removing unix domain socket '/Users/roberto/.xpra/clients/DGTELA-033.personale.local-41782'
totaam commented 1 year ago

The one-shot command from the client seems not to work no matter ..

These are two completely unrelated errors.

2023-07-10 20:50:07,477 SSH: ' * keychain 2.8.5 ~ http://www.funtoo.org'

Where are these messages coming from?

2023-07-10 20:50:07,907 SSH: 'WARNING: low display number: 9'

Just like it tells you, don't use low display numbers and get rid of those warnings.

received uninterpretable nonsense: invalid encryption packet flag (no cipher configured): 0x50e33f0000000000 b'P\xe3?\x00\x00\x00\x00\x00' (8 bytes) data: 'Pã?\x00\x00\x00\x00\x00'

Your connection is producing junk data:

from xpra.net.protocol.header import unpack_header
unpack_header(b'P\xe3?\x00\x00\x00\x00\x00')
(b'P', 227, 63, 0, 0)

This is not an xpra packet. Something is polluting the ssh process's output.

Like I said before:

Or by first starting your server instance and then using xpra attach instead.

foice commented 1 year ago

Just to give some info. On the server there is keychain running to ensure keys are brought up. I have tried with display number 19, still junk data.

I am not sure what is special with my connection. that "produced junk". In any case, surprisingly, if I run the command a second time on the same display it works.

totaam commented 1 year ago

Just to give some info. On the server there is keychain running to ensure keys are brought up.

I don't know when it is launched or how, but perhaps this is why your stdout contains junk data.

I have tried with display number 19, still junk data.

Of course, this is only meant to remove the ugly warning, nothing else.

I am not sure what is special with my connection. that "produced junk". In any case, surprisingly, if I run the command a second time on the same display it works.

Clearly, something is getting launched the first time and polluting stdout. Could be keychain or something Xorg related.

foice commented 1 year ago

This is still usable, but not how intended. So let me try to help debug it. I have disabled keychain from my bashrc. Still same problem

>CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1 xpra start ssh://d114/49 --start=xterm
grep: /usr/share/locale/locale.alias: No such file or directory
grep: /usr/share/locale/locale.alias: No such file or directory

(Xpra:45779): Gtk-CRITICAL **: 23:16:29.681: gtk_window_add_accel_group: assertion 'GTK_IS_WINDOW (window)' failed
2023-07-10 23:16:29,808 Xpra GTK3 client version 4.4.6-r29 64-bit
2023-07-10 23:16:29,855  running on Mac OS X 10.16
grep: /usr/share/locale/locale.alias: No such file or directory
2023-07-10 23:16:34,291 GStreamer version 1.22.3
2023-07-10 23:16:34,363 created unix domain socket '/Users/roberto/.xpra/clients/DGTELA-033.personale.local-45779'
2023-07-10 23:16:35,232 Warning: vendor 'Intel Inc.' is greylisted,
2023-07-10 23:16:35,232  you may want to turn off OpenGL if you encounter bugs
2023-07-10 23:16:35,367 OpenGL enabled on 'Intel(R) Iris(TM) Plus Graphics OpenGL Engine'
2023-07-10 23:16:37,189 Connected (version 2.0, client OpenSSH_8.7)
2023-07-10 23:16:37,859 Authentication (publickey) failed.
2023-07-10 23:16:38,385 Authentication (publickey) successful!
2023-07-10 23:16:39,334 ssh server OS is 'linux-gnu'

(Xpra:45779): Gtk-CRITICAL **: 23:16:40.347: gtk_window_add_accel_group: assertion 'GTK_IS_WINDOW (window)' failed
2023-07-10 23:16:40,408  keyboard settings: layout=us
2023-07-10 23:16:40,412  desktop size is 1440x900:
2023-07-10 23:16:40,413   robertos-macbook-pro132021.local (381x238 mm - DPI: 96x96) workarea: 1395x875  at   45x25
2023-07-10 23:16:40,413     monitor 1        (285x179 mm - DPI: 128x128)
2023-07-10 23:16:41,030  SSH: 'Entering daemon mode; any further errors will be reported to:'
2023-07-10 23:16:41,031  SSH: "  '/run/user/1000/xpra/49/server.log'"
2023-07-10 23:16:48,208 Warning: received cipher block,
2023-07-10 23:16:48,209  but we don't have a cipher to decrypt it with,
2023-07-10 23:16:48,209  not an xpra client?
2023-07-10 23:16:48,210 Error: failed to connect
2023-07-10 23:16:48,211  received uninterpretable nonsense: invalid encryption packet flag (no cipher configured): 0x50e33f0000000000
2023-07-10 23:16:48,211  b'P\xe3?\x00\x00\x00\x00\x00' (8 bytes)
2023-07-10 23:16:48,211  data: 'Pã?\x00\x00\x00\x00\x00'
2023-07-10 23:16:48,227 SSH EOF on stderr of run-xpra
2023-07-10 23:16:48,256 removing unix domain socket '/Users/roberto/.xpra/clients/DGTELA-033.personale.local-45779'
totaam commented 1 year ago

So let me try to help debug it.

To debug this, just run the client with --ssh 'ssh -v' -d ssh then cut&paste the ssh command line into a plain terminal. It should try to run some _proxy_start command, this command will exit with a "not an xpra packet" error if you enter a carriage return. Perhaps the problem is only with the paramiko backend. In which case, a plain -d ssh will show more details.

BTW, you should fix this: grep: /usr/share/locale/locale.alias: No such file or directory Something on your system is not configured properly.

totaam commented 1 year ago

I assume that this error is gone with the v5 builds.