search

jssimporter / JSSImporter

JSSImporter is deprecated. Please see the wiki for alternatives
Apache License 2.0
145 stars 38 forks source link

Error running recipes ('bad handshake: Error([('SSL routines', 'SSL3_GET_RECORD',, 'wrong verson number')],)' #86

Closed T3chGuy77 closed 7 years ago

T3chGuy77 commented 8 years ago

That is the error I get when attempting to run recipes using AutoPkgr. Their devs suggest I post my issue here. Can you help figure out what the issue is?

TSPARR commented 7 years ago

Just throwing my two cents in here, that I'm having the same issue. Our environment is using a SHA-2 Wildcard SSL cert from GeoTrust which is valid. Though I had the same issue when testing against a jamfPro server using a self-signed cert. Both from 10.10 and 10.11 computers.

TSPARR commented 7 years ago

I was using the following Python script to test with as given to me by @homebysix 

#!/usr/bin/python

import jss

jss_prefs = jss.JSSPrefs()
j = jss.JSS(jss_prefs)

print j.ComputerGroup()

This returned the following errors:

 python /Users/administrator/Desktop/list_computer_groups.py 
It seems like you do not have a preferences file configured. Please answer the following questions to generate a plist at /Users/administrator/Library/Preferences/com.github.sheagcraig.python-jss.plist for use with python-jss.
The complete URL to your JSS, with port (e.g. 'https://mycasperserver.org:8443') 
URL: https://<my casper server>:8443
API Username: <api user>
API User's Password: 
Do you want to verify that traffic is encrypted by a certificate that you trust?: (Y|N) N
Fetching distribution point info...
Traceback (most recent call last):
  File "/Users/administrator/Desktop/list_computer_groups.py", line 5, in <module>
    jss_prefs = jss.JSSPrefs()
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jss_prefs.py", line 128, in __init__
    self.configure()
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jss_prefs.py", line 194, in configure
    self._handle_repos(root)
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jss_prefs.py", line 209, in _handle_repos
    dpts = jss_server.DistributionPoint()
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jamf_software_server.py", line 603, in DistributionPoint
    return self.factory.get_object(jssobjects.DistributionPoint, data)
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jamf_software_server.py", line 875, in get_object
    return self.get_list(obj_class, data, subset)
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jamf_software_server.py", line 901, in get_list
    result = self.jss.get(url)
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jamf_software_server.py", line 200, in get
    response = self.session.get(request_url)
  File "/Library/Python/2.7/site-packages/requests-2.12.1-py2.7.egg/requests/sessions.py", line 501, in get
    return self.request('GET', url, **kwargs)
  File "/Library/Python/2.7/site-packages/requests-2.12.1-py2.7.egg/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Python/2.7/site-packages/requests-2.12.1-py2.7.egg/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Python/2.7/site-packages/requests-2.12.1-py2.7.egg/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')],)",)
TSPARR commented 7 years ago

The error changes slightly when I switch over to a Self-Signed Certificate:

python /Users/administrator/Desktop/list_computer_groups.py 
It seems like you do not have a preferences file configured. Please answer the following questions to generate a plist at /Users/administrator/Library/Preferences/com.github.sheagcraig.python-jss.plist for use with python-jss.
The complete URL to your JSS, with port (e.g. 'https://mycasperserver.org:8443') 
URL: https://<my casper server>:8443
API Username: <api user>
API User's Password: 
Do you want to verify that traffic is encrypted by a certificate that you trust?: (Y|N) N
Fetching distribution point info...
Traceback (most recent call last):
  File "/Users/administrator/Desktop/list_computer_groups.py", line 5, in <module>
    jss_prefs = jss.JSSPrefs()
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jss_prefs.py", line 128, in __init__
    self.configure()
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jss_prefs.py", line 194, in configure
    self._handle_repos(root)
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jss_prefs.py", line 209, in _handle_repos
    dpts = jss_server.DistributionPoint()
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jamf_software_server.py", line 603, in DistributionPoint
    return self.factory.get_object(jssobjects.DistributionPoint, data)
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jamf_software_server.py", line 875, in get_object
    return self.get_list(obj_class, data, subset)
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jamf_software_server.py", line 901, in get_list
    result = self.jss.get(url)
  File "/Library/Python/2.7/site-packages/python_jss-1.5.0-py2.7.egg/jss/jamf_software_server.py", line 200, in get
    response = self.session.get(request_url)
  File "/Library/Python/2.7/site-packages/requests-2.12.1-py2.7.egg/requests/sessions.py", line 501, in get
    return self.request('GET', url, **kwargs)
  File "/Library/Python/2.7/site-packages/requests-2.12.1-py2.7.egg/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Python/2.7/site-packages/requests-2.12.1-py2.7.egg/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Python/2.7/site-packages/requests-2.12.1-py2.7.egg/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'SSL3_READ_BYTES', 'sslv3 alert handshake failure')],)",)

Attached are redacted screenshots of both certificates: screen shot 2016-11-30 at 12 01 00 screen shot 2016-11-30 at 12 01 14

All jamfPro servers are running 9.96

TSPARR commented 7 years ago

Just to add more information as I continue to poke at this. Using Apple's built in openSSL openssl version OpenSSL 0.9.8zh 14 Jan 2016 openssl s_client -connect <casper server>:8443

CONNECTED(00000003)
68314:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_lib.c:185:

If I use homebrew to install an updated version of openssl and manually use their updated version: /usr/local/opt/openssl/bin/openssl version OpenSSL 1.0.2j 26 Sep 2016 /usr/local/opt/openssl/bin/openssl s_client -connect <casper server>:8443

 CONNECTED(00000003)
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify return:1
depth=1 C = US, O = GeoTrust Inc., CN = GeoTrust SSL CA - G3
verify return:1
depth=0 C = US, ST = <state>, L = <city>, O = <company>, OU = IT, CN = <server name>
verify return:1
---
Certificate chain
 0 s:/C=US/ST=<state>/L=<city>/O=<company>/OU=IT/CN=<server name>
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERT>
-----END CERTIFICATE-----
subject=/C=US/ST=<state>/L=<city>/O=<company>/OU=IT/CN=<server name>
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4227 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: <Session-ID>
    Session-ID-ctx:
    Master-Key: <Master Key>
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1480536795
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

So it's like Apple's OpenSSL version on 10.11.6 isn't handling things correctly.

homebysix commented 7 years ago

Beyond my wheelhouse, but that's some solid troubleshooting.

TSPARR commented 7 years ago

Just wanted to add a little more information as I've researched the error messages. It looks like errors it's throwing is because it's trying to connect over SSL 2 or SSL 3 which the JSS doesn't allow. I know I'm focusing a lot on OpenSSL, but that's all I really familiar enough to test with. Manual Python calls using the requests library seem to go through fine, but I'm very inexperienced with Python.

openssl s_client -ssl2 -connect <casper server>:8443

CONNECTED(00000003)
14419:error:1407F0E5:SSL routines:SSL2_WRITE:ssl handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s2_pkt.c:427:

Notice how below you see the SSL3_GET_RECORD error as in the original output. openssl s_client -ssl3 -connect <casper server>:8443

CONNECTED(00000003)
14426:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s3_pkt.c:300:

openssl s_client -tls1 -connect <casper server>:8443

CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=<state>/L=<city>/O=<company>/OU=IT/CN=<server name>
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERT>
-----END CERTIFICATE-----
subject=/C=US/ST=<state>/L=<city>/O=<company name>/OU=IT/CN=<server name>
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 3902 bytes and written 426 bytes
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES128-SHA
    Session-ID: <Session ID>
    Session-ID-ctx:
    Master-Key: <Master Key>
    Key-Arg   : None
    Start Time: 1480697379
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

These are all testing against 8443 which is obviously the jamfPro server on Tomcat. We use HTTPS shares for our distribution points and running the same tests against those which are protected by the same certificate work fine. Our jamfPro server is on a 10.11.6 Mac Mini, so this is on Apache. I don't know the relevance of that, but figured if I throw enough at the wall something would stick.

openssl s_client -connect <casper server>:443

CONNECTED(00000003)
depth=2 /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=<state>/L=<city>/O=<company>/OU=IT/CN=<server name>
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 1 s:/C=US/ST=<state>/L=<city>/O=<company>/OU=IT/CN=<server name>
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 3 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
---
Server certificate
-----BEGIN CERTIFICATE-----
<CERT>
-----END CERTIFICATE-----
subject=/C=US/ST=<state>/L=<city>/O=<company>/OU=IT/CN=<server name>
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
---
No client certificate CA names sent
---
SSL handshake has read 6475 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: <Session ID>
    Session-ID-ctx:
    Master-Key: <Master Key>
    Key-Arg   : None
    Start Time: 1480697630
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

It seems like I'm getting mixed signals even though all certificates have been imported from the same PFX file. Here is a redacted screenshot of GeoCert's SSL Checker which shows zero issues: screen shot 2016-12-02 at 13 44 07

I believe the self-signed certificate errors are coming from the root cert as based on this screenshot from http://ssl-checker.online-domain-tools.com/: screen shot 2016-12-02 at 13 49 30

I couldn't find any more that allow checks on a port that isn't 443.

I'm happy to run any further troubleshooting steps or provide unredacted versions in a DM if necessary. Feel free to reach out to me on the MacAdmins Slack. I'm tyler.sparr on there.

TSPARR commented 7 years ago

Thanks for acting as a sounding board for this issue. I was able to self-resolve finally. I saw what was posted in #95 and figured hey, why don't I give that a shot. Turned out to resolve the issue for some of my jamfPro servers, but not all of them.

So first I ran the below: sudo easy_install pip && pip install -I --user pyopenssl And then just to be safe, ran: pip install -I --user jss-importer

The key difference I found between the ones that worked and the ones that didn't was TLS 1.0 was disabled on some of them as recommended by our security team. Now obviously, I don't want to have to re-enable TLS 1.0 if I don't have to, but I'm just so happy to actually have come to an answer on my own. I guess you could consider this a dupe of #89.

sheagcraig commented 7 years ago

Just coming to this super late. But yes, "fresh" 10.11 and 10.12 installs lack the correct cryptography libraries for this all to work, and they won't let you update the installed ones to the system location. The pip install to your user site_packages directory allows the user libraries to supersede the system ones.

duginivijay commented 6 years ago

@TSPARR I'm facing same SSL issue. Please find the error message below. I've ran the commands instructed above. First one goes totally fine and the second to install jss-importer it yells at me saying below. I'm not using jss-importer in my project. "$ pip install -I --user jss-importer Collecting jss-importer Could not find a version that satisfies the requirement jss-importer (from versions: ) No matching distribution found for jss-importer".

Error I'm facing "SSLError: HTTPSConnectionPool(host='localhost', port=5000): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_record', 'wrong version number')],)",),))"

Any help is appreciated.