search

unistra / python-glpi-api

Python module for interacting with GLPI using the API.
GNU General Public License v3.0
18 stars 10 forks source link

TLSv1.3 issue #13

Closed trizzosk closed 1 year ago

trizzosk commented 1 year ago

hello,

if target GLPI sits on a webserver where only TLSv1.3 is allowed, you will get errot when calling connect:

[SSLError: ("bad handshake: Error([('SSL routines', 'SSL23_GET_SERVER_HELLO', 'sslv3 alert handshake failure')],)",)](https://stackoverflow.com/questions/43969408/requests-exceptions-sslerror-bad-handshake-errorssl-routines-ssl23-ge)

Apache, which is a web server for the GLPI, is configured (/etc/apache2/sites-enabled/ssl.conf in my case:

<VirtualHost xxxxxx:443>
...
...
    SSLProxyProtocol    +TLSv1.2
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2

</VirtualHost>

Resolution: Downgrade the server to TLSv1.2 solves the issue temporarily for me.

This is probably caused by either requests library or combination of python, requests, urlib and openssl libs.

fmenabe commented 1 year ago

You're right, TLS v1.3 is only supported since the release of OpenSSL 1.1.1 (cf OpenSSL wiki).

Both the client and the server need to be based on this minimal version of the library (if either one is based on an older version, it will not work).

trizzosk commented 1 year ago

Hi, so if I use the script on a host which do have openssl >1.1.1 installed, it suppose to function?

fmenabe commented 1 year ago

cf pyOpenSSL and cryptography installation pages.

This seems more complicated than that. From the cryptography documentation:

Cryptography ships statically-linked wheels for macOS, Windows,
and Linux (via manylinux and musllinux). This allows compatible 
environments to use the most recent OpenSSL, regardless of what
is shipped by default on those platforms.

If you have installed through pip (with Python>=3.6), using wheels (the default)l, I would suppose you should have a valid version whatever the system you use. If installed through the package manager of your system, and your system support OpenSSL >= 1.1.1, I would expect the package to be compatible too (it would be coherent but it really depends of how the package has been built).

From pyOpenSSL documentation, you can see the versions of pyOpenSSL, cryptography, and the linked OpenSSL by running python -m OpenSSL.debug

Also remember that the server also need to be compatible. For what I remember, I tested it with Nginx on CentOS7 which had not a valid OpenSSL version (1.1.0; I would expect Nginx to be build against the system version). So you should also ensure your server support it.

I also see this Stackoverflow post, which say that Python 3.10 increased the security by default and prohibit some ciphers so it could also be something else ...