search

zabbix / python-zabbix-utils

Python library "zabbix-utils"
MIT License
94 stars 11 forks source link

pskwrapper: ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007) #7

Open BBT-coder opened 7 months ago

BBT-coder commented 7 months ago

Hi,

I have a zabbix 6.4 proxy running in a docker container with this config:

  - TLSACCEPT=psk
  - TLSCONNECT=psk
  - TLSPSKIDENTITY=PSK001
  - TLSPSKFILE=/var/lib/zabbix/enc/psk-file.psk

When testing if I can connect to the proxy using openssl, I use:

openssl s_client -no_tls1_3 -connect 192.168.1.1:10056 -psk_identity 'PSK001' -psk '<my psk>'
Connecting to 192.168.1.1
CONNECTED(00000180)
Can't use SSL_get_servername
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 242 bytes and written 418 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-PSK-AES128-CBC-SHA256
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-PSK-AES128-CBC-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: <a master key>
    PSK identity: PSK001
    PSK identity hint: None
    SRP username: None
    Start Time: 1707658392
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

closed

When when I run the psk_wrapper.py (from a Windows 11 machine) I got the error:

File "C:\Python\Python310\lib\ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007)
python-BaseException

psk and pskidentity are the same as used in the openssl

Python 3.10.11

pyOpenSSL      23.3.0
sslpsk3             1.1.1
zabbix-utils      1.1.0

When running the psk_wrapper from a Raspberry 4 (Linux 6.1.41-v8+ #1667 SMP PREEMPT Wed Jul 26 17:59:29 BST 2023 aarch64 GNU/Linux) I got the Error: 

ssl.SSLError: [SSL: SSLV3_ALERT_BAD_RECORD_MAC] sslv3 alert bad record mac (_ssl.c:1123)

Is there a way I can configure -no_tls1_3 in the wrapper (not sure if this would fix things)? Any help would be appreciated.

Theo

enzocicarelli commented 5 months ago

Hi,

I have a zabbix 6.4 proxy running in a docker container with this config:

  - TLSACCEPT=psk
  - TLSCONNECT=psk
  - TLSPSKIDENTITY=PSK001
  - TLSPSKFILE=/var/lib/zabbix/enc/psk-file.psk

When testing if I can connect to the proxy using openssl, I use:

openssl s_client -no_tls1_3 -connect 192.168.1.1:10056 -psk_identity 'PSK001' -psk '<my psk>'
Connecting to 192.168.1.1
CONNECTED(00000180)
Can't use SSL_get_servername
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 242 bytes and written 418 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-PSK-AES128-CBC-SHA256
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-PSK-AES128-CBC-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: <a master key>
    PSK identity: PSK001
    PSK identity hint: None
    SRP username: None
    Start Time: 1707658392
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

closed

When when I run the psk_wrapper.py (from a Windows 11 machine) I got the error:

File "C:\Python\Python310\lib\ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007)
python-BaseException

psk and pskidentity are the same as used in the openssl

Python 3.10.11

pyOpenSSL      23.3.0
sslpsk3             1.1.1
zabbix-utils      1.1.0

When running the psk_wrapper from a Raspberry 4 (Linux 6.1.41-v8+ #1667 SMP PREEMPT Wed Jul 26 17:59:29 BST 2023 aarch64 GNU/Linux) I got the Error:

ssl.SSLError: [SSL: SSLV3_ALERT_BAD_RECORD_MAC] sslv3 alert bad record mac (_ssl.c:1123)

Is there a way I can configure -no_tls1_3 in the wrapper (not sure if this would fix things)? Any help would be appreciated.

Theo

Hi @BBT-coder, I had the same problem with BAD_RECORD_MAC and I was able to fix it by using bytes.fromhex("psk") instead of b"psk", hope it helps you.

BBT-coder commented 5 months ago

Thanks @enzocicarelli,

This did indeed (for Linux) solved my problem.

aiantsen commented 5 months ago

@BBT-coder, thank you for the found issue. We're working on reproducing this problem on Windows.

@enzocicarelli, thank you for the suggested resolution. This has been tested with Linux and will be implemented in the next version.

aiantsen commented 1 month ago

I managed to reproduce the problem on Windows. The problem is reproducible on several versions of Python and all the PSK ciphersuites supported by Zabbix server.

Unfortunately, so far we have not been able to find a solution to this problem. Since the issue is not a part of the library and does not directly affect its code, it is not a blocking issue. We will continue to work on resolving it, but it is not a high priority. Any thoughts, suggestions, or solutions to this problem will be appreciated.

We are also looking forward to the release of Python 3.13, where we expect to see official PSK support in the SSL module. This may allow us to provide examples of working with PSK using the standard Python SSL library.