Closed krispayne closed 4 years ago
danengh
commented
6 years ago I was able to get this to work by editing the ssl_version in the tlsadapter.py located in /Library/Python/2.7/site-packages/jss/tlsadapter.py.
old: ssl_version=ssl.PROTOCOL_TLSv1
new: ssl_version=ssl.PROTOCOL_TLSv1_2
Verified that autopkg/JSSImporter still functions as expected. Did not test any others that might also use the python-jss
krispayne
commented
6 years ago Can test later this afternoon.
krispayne
commented
6 years ago I updated that line and I still get SSL errors:
[user@server]$ jss_helper promote
Warning: Import of FoundationPlist failed: No module named Foundation
See README for information on this issue.
Traceback (most recent call last):
File "/usr/local/bin/jss_helper", line 107, in <module>
main()
File "/usr/local/bin/jss_helper", line 100, in main
args.func(args)
File "/usr/local/bin/jss_helper_lib/actions.py", line 541, in promote
all_packages = jss_connection.Package()
File "/usr/local/lib/python2.7/site-packages/jss/jamf_software_server.py", line 726, in Package
return self.factory.get_object(jssobjects.Package, data)
File "/usr/local/lib/python2.7/site-packages/jss/jamf_software_server.py", line 875, in get_object
return self.get_list(obj_class, data, subset)
File "/usr/local/lib/python2.7/site-packages/jss/jamf_software_server.py", line 901, in get_list
result = self.jss.get(url)
File "/usr/local/lib/python2.7/site-packages/jss/jamf_software_server.py", line 200, in get
response = self.session.get(request_url)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 525, in get
return self.request('GET', url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 512, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 622, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 511, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='my.jss.com, port=8443): Max retries exceeded with url: /JSSResource/packages (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')],)",),))
[user@server]$```I updated in /usr/local/lib/python2.7/site-packages/jss and am now cooking with gas again.
fwiw:
locate tlsadapter.py
/Library/Application Support/JSSImporter/jss/tlsadapter.py
/Library/Python/2.7/site-packages/jss/tlsadapter.py
/Library/Python/2.7/site-packages/jss/tlsadapter.pyc
/usr/local/lib/python2.7/site-packages/jss/tlsadapter.py
/usr/local/lib/python2.7/site-packages/jss/tlsadapter.pyc
PinkShellos
commented
5 years ago @krispayne I'm getting this issue as well, do you update the line ssl_version=ssl.PROTOCOL_TLSv1_2 in all of those files or just tlsadapter.py in /usr/local/?
danengh
commented
5 years ago You will probably need to find and update all of them unless you know specifically which tlsadapter.py is being used. It doesn't hurt to update them all though.
PinkShellos
commented
5 years ago looks like those other instances don't exist and the pyc version is incomprehensible
krispayne
commented
5 years ago pyc would be compiled
update your locate DB (sudo /usr/libexec/locate.updatedb ) and run locate tlsadapter.py to see all versions
PinkShellos
commented
5 years ago The one that I found in /Library/Application Support/ is empty could I have accidentally created that when I was doing a vim command to find/edit that file or do I do a single line in there?
PinkShellos
commented
5 years ago Ah looks like python-jss' code doesn't have anything in that file i'm just going to change prefs to insecure authentication because this is frustrating and only is used internally anyways.
krispayne
commented
5 years ago That's definitely a "fix" but I wouldn't recommend it: that's a pretty lazy approach to security.
Also note that this issue is from over a year ago and 10 versions of the JSS have been released since. It's possible this fix is no longer what works?
grahampugh
commented
5 years ago Hi all, thanks for the feedback. We just moved jss_helper into the JSSImporter GitHub org and over the coming weeks we will update the code to make it work with the recent versions of python-jss (same with Spruce and JSSRecipeCreator).
krispayne
commented
5 years ago @grahampugh thanks for your work on this. Let me know if you need help testing! I use this tool a ton
PinkShellos
commented
5 years ago @krispayne yeah I understand that. This was just me being frustrated with not finding a way to fix it and I do have SSL certs on my server, but it's also not exposed beyond our network so I felt reasonably ok with using no verify for the time being. Once this updates, I'll move back to SSL. Sorry if I was being glib.
grahampugh
commented
5 years ago Hi all, can you try 2.1.0b1? Note that you should already have JSSImporter set up, because this new version relies on the latest python-jss which is installed by JSSImporter.
PinkShellos
commented
4 years ago @grahampugh installed this and installed release jssimporter and it said it required python-jss 2.0.1, so I installed current jssimporter beta release and i'm still getting a bad connection. I'll update my config file to make sure that username/password combo are correct and give you an update shortly.
PinkShellos
commented
4 years ago Followed documentation to use complex no special character password and issues persist. Verified that username and password were correct and works with Autopkgr and JSSImporter1.0.0 on separate machine. Anything I should be looking at?
grahampugh
commented
4 years ago Hi @PaperFixie, OK lets try and diagnose. Can you verify that you are getting this exact error:
requests.exceptions.SSLError: HTTPSConnectionPool(host='my.jss.com', port=8443): Max retries exceeded with url: /JSSResource/packages (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')],)",),))If it's something even slightly different (other than the host name :) ), please post it.
I switched the default of jss_helper so that SSL is on by default, so --ssl does nothing anymore. --nossl turns SSL off. You could see if that works, to verify your credentials (if non-SSL will work with your repo, that is!).
Second: just to ensure you are using the correct python-jss, try to remove any old pip-installed version of python-jss with the command: pip uninstall python-jss.
grahampugh
commented
4 years ago @PaperFixie are we OK to close this? From our interaction in Slack, it appeared that your errors were down to using a non-standard python installation which did not include the Foundation module.
PinkShellos
commented
4 years ago Go ahead and close it for sure thanks!
On Sat, Sep 21, 2019, 9:41 AM Graham Pugh notifications@github.com wrote:
@PaperFixie https://github.com/PaperFixie are we OK to close this? From our interaction in Slack, it appeared that your errors were down to using a non-standard python installation which did not include the Foundation module.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/jssimporter/jss_helper/issues/23?email_source=notifications&email_token=AEO3ZTMHJ6IWV7B2HT2HSM3QKYXCDA5CNFSM4FMOUEVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7ITBGI#issuecomment-533803161, or mute the thread https://github.com/notifications/unsubscribe-auth/AEO3ZTO6DAGEQDMMFFWR7ALQKYXCDANCNFSM4FMOUEVA .
Ever since upgrading my JSS to 10.5, jss_helper has stopped working :-(
I'm happy to help debug/remediate, but I've looked through the code for jss_helper and can't seem to find where I can tell it to accept the updated TLS version. JSSImporter is working fine on the same machine, so I'm assuming I have an updated version of python-jss.