LDAPSocketOpenError - EOF occurred in violation of protocol (_ssl.c:777)

[j-c-1253]

I have a simple connection to ldap server over port 636.
conn = Connection(host, port=636, use_ssl=True)

And I receive the following error:

ldap3.core.exceptions.LDAPSocketOpenError: (LDAPSocketOpenError('socket ssl wrapping error: EOF occurred in violation of protocol (_ssl.c:777)',),)

I know the server settings are fine because I debugged and confirmed connection manually using: openssl s_client -connect ldap.server.address.com:636

I know the certs are in place because this works!

I need some assistance... I can't find some substantial information on this error. I see EOF and I'm assuming End of File?? If so, which file?

FYI, I'm running python3+ldap3 in a docker container.

[cannatag]

Are you on a Mac? This seem to be some an issue with the OpenSSL library. The EOF message is not referring to a file on your file system but to the SSL socket that is seen as a stream (file) by the Operating System.

[j-c-1253]

Yes I am on a Mac.

I tested application on physical machine and it works. My application is a Flask app and I run outside of the container and there is no problem with no changes to code. So, app works outside of Docker container. At this point I'm still researching and feel that problem is related to some Docker config.

[cannatag]

Probably the OpenSSL used in the container is old and different from the one you’re using in the Mac OS. Do you have the Dockerfile used to build the container?

…

Il giorno 12 gen 2018, alle ore 21:19, j-c-1253 ***@***.***> ha scritto: Yes I am on a Mac. I tested application on physical machine and it works. My application is a Flask app and I run outside of the container and there is no problem with no changes to code. So, app works outside of Docker container. At this point I'm still researching and feel that problem is related to some Docker config. — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[j-c-1253]

Thats a good observation... gonna look at OS OpenSSL and Docker SSL. here is Dockerfile...

FROM alpine:latest AS template

RUN apk add --update \
		python3 \
		python3-dev \
		gcc \
		openssl \
		openssl-dev \
		musl \
		musl-dev \
		musl-utils \
		libffi-dev \
		ca-certificates \
		libressl2.6-libcrypto \
		py3-gevent \
		xmlsec \
	&& pip3 install \
		flask \
		gunicorn \
		requests \
		ldap3 \
		pysaml2

COPY ./application /app

WORKDIR /app/src

ENV FLASK_APP=app.py

CMD ["flask", "run", "--host=0.0.0.0"]

[j-c-1253]

I confirmed that Mac and Docker are running OpenSSL 1.0.2n. Thank you for looking at this issue.

[j-c-1253]

hey cannatag... I worked on this issue and confirmed that:
ldap3.core.exceptions.LDAPSocketOpenError: (LDAPSocketOpenError('socket ssl wrapping error: EOF occurred in violation of protocol (_ssl.c:777)',),)
is directly related to the fact that I am using the latest alpine linux image. Now I must admit that the specific error not solved but at least it is a start.

To replicate: (This produces the error)

FROM alpine:latest

COPY ./src /app

WORKDIR /app

RUN apk add --update python3 && pip3 install flask ldap3

ENV FLASK_APP=app.py

CMD ["flask", "run", "--host=0.0.0.0"]

Flask Code

import ldap3
from ldap3 import Server, Connection, ALL
from flask import Flask

app = Flask(__name__)

@app.route('/')
def ldapTest():
	print("//////////////////////")
	s = Server("ldaps.servername.com", port=636, use_ssl=True, get_info=ALL)
	c = Connection(s, user="uid=user, ou=person, dc=servername, dc=com", 
              password="pass1234", auto_bind=True, raise_exceptions=True)
	print(c)
	print("//////////////////////")
	return "it works!"

If you change FROM alpine:latest ----> to FROM alpine:3.4... it works.
So, by experimentation, alpine 3.5 and 3.6 don't work either. There's some compatibility issue with the latest alpine linux's.

[cannatag]

Hi, I've tested in my lab with the latest Alpine on a Windows 10 machine (with MobyLinux) and the "it works" message appears.

Will try to run it on a Mac next week.
Bye,
Giovanni

[aba-hollerer]

We are experiencing the exact same issue:

OS	Python	OpenSSL	python3 -c "import ssl;print(ssl.OPENSSL_VERSION)"
gentoo	3.10.5	1.1.1q	1.1.1q
ubuntu2204	3.10.4	3.0.2	3.0.2

Reproduce like:

import ssl
import ldap3
server = ldap3.Server("ldapserver.tld", use_ssl = True)
conn = Connection(server, user = "me", password = "secure")
conn.bind()

This results in:

>>> conn.bind()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.10/site-packages/ldap3/core/connection.py", line 589, in bind
    self.open(read_server_info=False)
  File "/usr/lib/python3.10/site-packages/ldap3/strategy/sync.py", line 57, in open
    BaseStrategy.open(self, reset_usage, read_server_info)
  File "/usr/lib/python3.10/site-packages/ldap3/strategy/base.py", line 146, in open
    raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: ("('socket ssl wrapping error: EOF occurred in violation of protocol (_ssl.c:1001)',)",)

Unfortunately setting tls in the Server explicitly to version = ssl.PROTOCOL_TLSv1[_2] did not do anything noticable.
Also as stated in the 1st post openssl s_client -connect ldapserver.tld:636 returned something.

Never mind. The trick was to use ldap3.Tls and specify ciphers = "AES256-SHA256" (or whatever cipher pops up with the openssl command).