Closed krispayne closed 4 years ago
I was able to get this to work by editing the ssl_version in the tlsadapter.py located in /Library/Python/2.7/site-packages/jss/tlsadapter.py.
old: ssl_version=ssl.PROTOCOL_TLSv1
new: ssl_version=ssl.PROTOCOL_TLSv1_2
Verified that autopkg/JSSImporter still functions as expected. Did not test any others that might also use the python-jss
Can test later this afternoon.
I updated that line and I still get SSL errors:
[user@server]$ jss_helper promote
Warning: Import of FoundationPlist failed: No module named Foundation
See README for information on this issue.
Traceback (most recent call last):
File "/usr/local/bin/jss_helper", line 107, in <module>
main()
File "/usr/local/bin/jss_helper", line 100, in main
args.func(args)
File "/usr/local/bin/jss_helper_lib/actions.py", line 541, in promote
all_packages = jss_connection.Package()
File "/usr/local/lib/python2.7/site-packages/jss/jamf_software_server.py", line 726, in Package
return self.factory.get_object(jssobjects.Package, data)
File "/usr/local/lib/python2.7/site-packages/jss/jamf_software_server.py", line 875, in get_object
return self.get_list(obj_class, data, subset)
File "/usr/local/lib/python2.7/site-packages/jss/jamf_software_server.py", line 901, in get_list
result = self.jss.get(url)
File "/usr/local/lib/python2.7/site-packages/jss/jamf_software_server.py", line 200, in get
response = self.session.get(request_url)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 525, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 512, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 622, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 511, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='my.jss.com, port=8443): Max retries exceeded with url: /JSSResource/packages (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')],)",),))
[user@server]$```
I updated in /usr/local/lib/python2.7/site-packages/jss
and am now cooking with gas again.
fwiw:
locate tlsadapter.py
/Library/Application Support/JSSImporter/jss/tlsadapter.py
/Library/Python/2.7/site-packages/jss/tlsadapter.py
/Library/Python/2.7/site-packages/jss/tlsadapter.pyc
/usr/local/lib/python2.7/site-packages/jss/tlsadapter.py
/usr/local/lib/python2.7/site-packages/jss/tlsadapter.pyc
@krispayne I'm getting this issue as well, do you update the line ssl_version=ssl.PROTOCOL_TLSv1_2
in all of those files or just tlsadapter.py
in /usr/local/
?
You will probably need to find and update all of them unless you know specifically which tlsadapter.py
is being used. It doesn't hurt to update them all though.
looks like those other instances don't exist and the pyc version is incomprehensible
pyc would be compiled
update your locate DB (sudo /usr/libexec/locate.updatedb
) and run locate tlsadapter.py
to see all versions
The one that I found in /Library/Application Support/
is empty could I have accidentally created that when I was doing a vim command to find/edit that file or do I do a single line in there?
Ah looks like python-jss' code doesn't have anything in that file i'm just going to change prefs to insecure authentication because this is frustrating and only is used internally anyways.
That's definitely a "fix" but I wouldn't recommend it: that's a pretty lazy approach to security.
Also note that this issue is from over a year ago and 10 versions of the JSS have been released since. It's possible this fix is no longer what works?
Hi all, thanks for the feedback. We just moved jss_helper into the JSSImporter GitHub org and over the coming weeks we will update the code to make it work with the recent versions of python-jss (same with Spruce and JSSRecipeCreator).
@grahampugh thanks for your work on this. Let me know if you need help testing! I use this tool a ton
@krispayne yeah I understand that. This was just me being frustrated with not finding a way to fix it and I do have SSL certs on my server, but it's also not exposed beyond our network so I felt reasonably ok with using no verify for the time being. Once this updates, I'll move back to SSL. Sorry if I was being glib.
Hi all, can you try 2.1.0b1? Note that you should already have JSSImporter set up, because this new version relies on the latest python-jss which is installed by JSSImporter.
@grahampugh installed this and installed release jssimporter and it said it required python-jss 2.0.1, so I installed current jssimporter beta release and i'm still getting a bad connection. I'll update my config file to make sure that username/password combo are correct and give you an update shortly.
Followed documentation to use complex no special character password and issues persist. Verified that username and password were correct and works with Autopkgr and JSSImporter1.0.0 on separate machine. Anything I should be looking at?
Hi @PaperFixie, OK lets try and diagnose. Can you verify that you are getting this exact error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='my.jss.com', port=8443): Max retries exceeded with url: /JSSResource/packages (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')],)",),))
If it's something even slightly different (other than the host name :) ), please post it.
I switched the default of jss_helper so that SSL is on by default, so --ssl
does nothing anymore. --nossl
turns SSL off. You could see if that works, to verify your credentials (if non-SSL will work with your repo, that is!).
Second: just to ensure you are using the correct python-jss, try to remove any old pip-installed version of python-jss with the command: pip uninstall python-jss
.
@PaperFixie are we OK to close this? From our interaction in Slack, it appeared that your errors were down to using a non-standard python installation which did not include the Foundation module.
Go ahead and close it for sure thanks!
On Sat, Sep 21, 2019, 9:41 AM Graham Pugh notifications@github.com wrote:
@PaperFixie https://github.com/PaperFixie are we OK to close this? From our interaction in Slack, it appeared that your errors were down to using a non-standard python installation which did not include the Foundation module.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jssimporter/jss_helper/issues/23?email_source=notifications&email_token=AEO3ZTMHJ6IWV7B2HT2HSM3QKYXCDA5CNFSM4FMOUEVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7ITBGI#issuecomment-533803161, or mute the thread https://github.com/notifications/unsubscribe-auth/AEO3ZTO6DAGEQDMMFFWR7ALQKYXCDANCNFSM4FMOUEVA .
Ever since upgrading my JSS to 10.5, jss_helper has stopped working :-(
I'm happy to help debug/remediate, but I've looked through the code for jss_helper and can't seem to find where I can tell it to accept the updated TLS version. JSSImporter is working fine on the same machine, so I'm assuming I have an updated version of python-jss.