Connection to etcd failed due to SSLError

[halcyonone]

I use ssl connect to etcd server, the error is etcd.EtcdConnectionFailed: Connection to etcd failed due to SSLError(SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:590)'),)

my etcd server version is 3.1.3， python-etcd version is 0.4.5， please help me， thx.

[cizixs]

Had the same issue here, Is there a way to skip SSL verification?

[yejw5]

I'm using etcd ssl connect too. Can you show your code in connect to etcd with etcd.Client()? Thank you very much!

[ColinChartier]

Fix -- force TLS1.2 (this will error if your python doesn't support it)

import etcd
import ssl
c = etcd.Client(host='localhost', port=2379, cert=('/certs/cert', '/certs/key'), ca_cert='/certs/ca_cert', protocol='https')
c.http.connection_pool_kw['ssl_version'] = ssl.PROTOCOL_TLSv1_2  

[lavagetto]

@ColinChartier I like your patch, although I'm thinking we should just go with TLS 1.2 by default on any python version that supports it. Maybe drop support for any pyopenssl version that doesn't?

[ColinChartier]

@lavagetto I'm not actually sure which ETCD versions support which encryption versions -- I know for sure that you will alienate a lot of python 2 folks on Mac at least if you do that.

The problem is that python itself needs to be recompiled with the specific openssl version, unless you use PyOpenSSL or whatever, and that is a huge hassle in general.

[ColinChartier]

Also-- I upgraded python-etcd after the patch that removed forced TLS1.1 in the constructor and everything is working for me (this issue no longer presents), so I suppose that newer ETCD servers only accept TLS1.2. You could give a more descriptive error message if negotiation fails and the TLSv1_2 constant is unset in ssl.py

[hanhailin]

I have the same problem , who can help me?