search

akarneliuk / pygnmi

The pure Python implementation of the gNMI client.
https://training.karneliuk.com
BSD 3-Clause "New" or "Revised" License
129 stars 44 forks source link

Problem connecting to SROS device when using encryption #64

Closed cliff-ha closed 2 years ago

cliff-ha commented 2 years ago

I have the same problem as the user had I case #59. When I look at a wireshark of the data that is send with gnmic that is working it is using tls 1.2, but when I use pygnmi it is using TLS 1.

It works when I add the os value in case #59 (os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH"), but is there not a way where pygnmi can negotiate the tls version with the devices, so we do not have to change this for what device we are talking to?

akarneliuk commented 2 years ago

Hello @cliff-ha ,

Thanks for raising that up. Let us investigate that. We rely on the default behaviour of grpc library for that. Maybe there is a way to alter that.

Best, Anton

akarneliuk commented 2 years ago

Hey @cliff-ha ,

We've embedded and tested automatic change of cipher to high in case of failure. We have published the new release 0.7.0 which has this feature. Could you please give it a go and let us know your results, please?

Thanks, Anton

akarneliuk commented 2 years ago

Hello @cliff-ha ,

please, reopen the ticket if you have any issues.

Best, Anton

cliff-ha commented 2 years ago

Hi @akarneliuk I just updated to 0.7.1 but I am still unable to connect without setting the cipher suite.

akarneliuk commented 2 years ago

Hey @cliff-ha , can you please post the output of the script's execution? Best, Anton

cliff-ha commented 2 years ago

Sure it looks like this: Traceback (most recent call last): File "/git/python/code/Test/test.py", line 15, in with gNMIclient(target=(hostname, 57400), username=username, password=password, path_cert=certpath) as gc: File "/git/python/venv/lib/python3.9/site-packages/pygnmi/client.py", line 94, in enter return self.connect() File "/git/python/venv/lib/python3.9/site-packages/pygnmi/client.py", line 146, in connect self.wait_for_connect(timeout) File "/git/python/venv/lib/python3.9/site-packages/pygnmi/client.py", line 156, in wait_for_connect grpc.channel_ready_future(self.__channel).result(timeout=timeout) File "/git/python/venv/lib/python3.9/site-packages/grpc/_utilities.py", line 139, in result self._block(timeout) File "/git/python/venv/lib/python3.9/site-packages/grpc/_utilities.py", line 85, in _block raise grpc.FutureTimeoutError() grpc.FutureTimeoutError

akarneliuk commented 2 years ago

Hey @cliff-ha , hope you are doing well. I did a bit of research and, to be honest, a bit puzzled with your

os.environ["GRPC_SSL_CIPHER_SUITES"] = "HIGH"

So the default values are ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384, which seems sane. At the same time, there is no cipher called "HIGH".

With this, can you please share your code where you set the environment and the connection to Nokia SR OS starts working fine, please? I'd like to see the working example to figure out if I can back port it.

Best, Anton

akarneliuk commented 2 years ago

Closed due to inactivity