search

ome / omero-py

Python project containing Ice remoting code for OMERO
https://www.openmicroscopy.org/omero
GNU General Public License v2.0
20 stars 33 forks source link

Cope with MinProtocol = TLSv1.2 #250

Closed mtbc closed 4 years ago

mtbc commented 4 years ago

https://docs.openmicroscopy.org/omero/5.6.2/sysadmins/unix/server-debian10-ice36.html needs to tweak /etc/ssl/openssl.cnf and some experimentation suggests that remains true even with this installed. I wonder if some adjustment to this could make it work around out-of-the-box tighter OpenSSL configuration.

manics commented 4 years ago

Can you paste a copy of the relevant parts of /etc/ssl/openssl.cnf here for reference?

mtbc commented 4 years ago 
# MinProtocol = TLSv1.2
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2

(I commented out the 1.2 and applied the 1.0. I had also tried commenting out the cipher string but it didn't seem to help.)

mtbc commented 4 years ago

In case it matters, this is with OpenSSL 1.1.1d.

manics commented 4 years ago

https://github.com/ome/omero-certificates/blob/00fbf7c410fb3bd0b5f2b85baeb051c7d10adc2f/omero_certificates/certificates.py#L41

If you set omero.glacier2.IceSSL.Protocols TLS1_2 does the default openssl.cnf work? If so I think we could change that default.

manics commented 4 years ago

If that doesn't work could you also try setting omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2?

mtbc commented 4 years ago

I still get "no protocols available" with,

omero.glacier2.IceSSL.ProtocolVersionMax=TLS1_2
omero.glacier2.IceSSL.ProtocolVersionMin=TLS1_2
omero.glacier2.IceSSL.Protocols=TLS1_2
manics commented 4 years ago

Next thing to try is to add the *.Trace.* properties from https://github.com/ome/openmicroscopy/pull/5927#issuecomment-452028143 in the client and see if anything insightful appears.

manics commented 4 years ago

See Slack discussion with @jburel. This might be purely a client side issue that doesn't require changes here. Can you try setting IceSSL.Protocols=TLS1_2 in your client?

mtbc commented 4 years ago

Aha, interesting. Is there an environment variable or command-line option I should be passing to omero login or somesuch?

jburel commented 4 years ago

after adjusting clients.py I can now connect the problem is the IceSSL.Protocols

c = omero.client(args=[
    '--Ice.Default.Router=OMERO.Glacier2/router:ssl -p 4064 -h localhost',
    '--IceSSL.VerifyPeer=0',
    '--IceSSL.UsePlatformCAs=1',
    '--IceSSL.Trace.Security=1',
    '--IceSSL.Ciphers=ALL',
    '--IceSSL.CheckCertName=1',
    '--IceSSL.Protocols=TLS1_2'
])

should allow you to connect

mtbc commented 4 years ago

Ha yes, I can log in just fine if I do,

diff --git a/src/omero/clients.py b/src/omero/clients.py
index d0b97a3d..bce3b522 100755
--- a/src/omero/clients.py
+++ b/src/omero/clients.py
@@ -243,7 +243,7 @@ class BaseClient(object):

         self._optSetProp(id, "IceSSL.VerifyDepthMax", "6")
         self._optSetProp(id, "IceSSL.VerifyPeer", "0")
-        self._optSetProp(id, "IceSSL.Protocols", "tls1")
+        self._optSetProp(id, "IceSSL.Protocols", "TLS1_2")

         # Setting block size
         self._optSetProp(

Perhaps move this issue to https://github.com/ome/omero-py?

jburel commented 4 years ago

I will open a PR later on

manics commented 4 years ago

One more thing, can you see if TLS1_0,TLS1_1,TLS1_2 also works? That includes the current protocol, but hopefully the client will just use whichever one(s) it supports

jburel commented 4 years ago

I am planning to test that option

jburel commented 4 years ago

see https://github.com/ome/omero-py/pull/251