Closed mtbc closed 4 years ago
Can you paste a copy of the relevant parts of /etc/ssl/openssl.cnf
here for reference?
# MinProtocol = TLSv1.2
MinProtocol = TLSv1.0
CipherString = DEFAULT@SECLEVEL=2
(I commented out the 1.2 and applied the 1.0. I had also tried commenting out the cipher string but it didn't seem to help.)
In case it matters, this is with OpenSSL 1.1.1d.
If you set omero.glacier2.IceSSL.Protocols TLS1_2
does the default openssl.cnf
work? If so I think we could change that default.
If that doesn't work could you also try setting omero.glacier2.IceSSL.ProtocolVersionMin TLS1_2
?
I still get "no protocols available" with,
omero.glacier2.IceSSL.ProtocolVersionMax=TLS1_2
omero.glacier2.IceSSL.ProtocolVersionMin=TLS1_2
omero.glacier2.IceSSL.Protocols=TLS1_2
Next thing to try is to add the *.Trace.*
properties from https://github.com/ome/openmicroscopy/pull/5927#issuecomment-452028143 in the client and see if anything insightful appears.
See Slack discussion with @jburel. This might be purely a client side issue that doesn't require changes here. Can you try setting IceSSL.Protocols=TLS1_2
in your client?
Aha, interesting. Is there an environment variable or command-line option I should be passing to omero login
or somesuch?
after adjusting clients.py I can now connect
the problem is the IceSSL.Protocols
c = omero.client(args=[
'--Ice.Default.Router=OMERO.Glacier2/router:ssl -p 4064 -h localhost',
'--IceSSL.VerifyPeer=0',
'--IceSSL.UsePlatformCAs=1',
'--IceSSL.Trace.Security=1',
'--IceSSL.Ciphers=ALL',
'--IceSSL.CheckCertName=1',
'--IceSSL.Protocols=TLS1_2'
])
should allow you to connect
Ha yes, I can log in just fine if I do,
diff --git a/src/omero/clients.py b/src/omero/clients.py
index d0b97a3d..bce3b522 100755
--- a/src/omero/clients.py
+++ b/src/omero/clients.py
@@ -243,7 +243,7 @@ class BaseClient(object):
self._optSetProp(id, "IceSSL.VerifyDepthMax", "6")
self._optSetProp(id, "IceSSL.VerifyPeer", "0")
- self._optSetProp(id, "IceSSL.Protocols", "tls1")
+ self._optSetProp(id, "IceSSL.Protocols", "TLS1_2")
# Setting block size
self._optSetProp(
Perhaps move this issue to https://github.com/ome/omero-py?
I will open a PR later on
One more thing, can you see if TLS1_0,TLS1_1,TLS1_2
also works? That includes the current protocol, but hopefully the client will just use whichever one(s) it supports
I am planning to test that option
https://docs.openmicroscopy.org/omero/5.6.2/sysadmins/unix/server-debian10-ice36.html needs to tweak
/etc/ssl/openssl.cnf
and some experimentation suggests that remains true even with this installed. I wonder if some adjustment to this could make it work around out-of-the-box tighter OpenSSL configuration.