New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No cipher option #211
Comments
Hello, I've hit this issue too (with Nautobot/NAPALM in a Python 3.10 Alpine container). Some ressources if that's useful:
As a workaround, it is possible to patch pyeapi to force the ciphers used: def patch_pyeapi_ciphers():
"""
Patch pyeapi to set ssl context ciphers, because Python set defaults that might be too high,
see https://github.com/python/cpython/blob/3.10/Modules/_ssl.c#L158
```sh
python -c 'import ssl; print(ssl._DEFAULT_CIPHERS)'
@SECLEVEL=2:ECDH+AESGCM:ECDH+CHACHA20:ECDH+AES:DHE+AES:!aNULL:!eNULL:!aDSS:!SHA1:!AESCCM
```
"""
try:
import pyeapi.eapilib
except ImportError:
return
connect_orig = pyeapi.eapilib.HttpsConnection.connect
def connect(self):
self._context.set_ciphers('DEFAULT@SECLEVEL=2')
return connect_orig(self)
pyeapi.eapilib.HttpsConnection.connect = connect
patch_pyeapi_ciphers() If you're using client certificate auth, another function is probably requiring to be patched. To test: import pyeapi
conn = pyeapi.connect(host='my_ip', transport='https')
conn.execute(['show version']) |
To let a trace somewhere, on the Arista side you can tweak the SSL/TLS profile to set proper TLS settings. It might depends on the version you are running though but at least it's working on 4.25+
|
@lodpp These don't appear to exist by default. Was there something you had to do to generate them? |
@bswinnerton I generated them with these commands, choose a validity period and common-name that makes sense for you.
|
I like @RyanFalkenberg-OICR EOS method
|
There is a way to specify a cypher for pyeapi, though it's undocumented one. I have covered it when resolved the issue #222. It's similar to what @u1735067 proposed in his pyeapi patch - specify the cypher as soon you get a client connection. Here's how one can set the cypher:
Though providing a user-level option to specify the cypher it seems a reasonable request. I'll close this one and file an enhancement to provide a user option for cypher. |
EOS uses deprecated ciphers by default and we can’t specify the ciphers to use (with
ssl.create_default_context().set_ciphers('DHE-RSA-AES256-SHA')
, so it’s impossible to connect from a system removing deprecated ciphers by default:Running a simple
urllib.request.Request
without the cipher option from ssl returns the same error, by specifying the ciphers it works.Without a ssl context, urrlib can’t connect to the arista box at all, by specifing it, it’s only a matter of self signed certificate.
The text was updated successfully, but these errors were encountered: