Closed edmorley closed 3 years ago
@edmorley thanks for a very detailed description of a problem!
@wiktorolko No problem - thank you for the fast fix/release! :-)
Confirmed working with the STR above (but using keen==0.7.0
instead of keen==0.6.1
), where the client now returns a ResourceNotFoundError
as expected (since a made up project ID was used), rather than the previous SSL internal error.
@edmorley Thanks!I took a very long time to find this answer!
Issue Summary
On Ubuntu 20.04, API requests made using the Keen Python client fail with:
This is due to:
SECLEVEL
was raised from1
to2
.The
internal error
error message is presumably a bug in the Pythonssl
stdlib (I'll report this separately). Other users of OpenSSL (such as curl) will instead display the more helpful error messageno protocols available
if TLS v1.0 is used when the SECLEVEL is 2 or higher.Steps to Reproduce
Expected: Some error message about invalid project or key, but no SSL error.
Actual:
Emulating the above using curl's
--tls-max 1.0
, in the same Docker container gives:This is presumably the error message the Python
ssl
stdlib should be returning rather than the internal error (I'll report this upstream separately).Removing the forced TLS v1.0 (
--tls-max 1.0
) stops the SSL error:As does lowering the default OpenSSL SECLEVEL back to 1:
The correct fix here is to update the Keen Python client to not force any particular TLS protocol version, and instead let OpenSSL use the default negotiated version. Lowering the SECLEVEL back to
1
would re-enable insecure protocols and ciphers, so is not recommended.Technical details: