-
Notifications
You must be signed in to change notification settings - Fork 265
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ldap3.core.exceptions.LDAPStartTLSError: wrap socket error: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1123) #925
Comments
hi @sebastian-luna-valero ! the SSL negotiation for ldap3 isn't native to the ldap3 library. it just uses the python ssl libraries, and that's where this error bubbles up from. I suspect that the older version of JupyterHub might not have disabled SSLv3. or it might be on an older system with older openssl or older python.
on every system and show the output? that will key us in to any discrepancies in underlying SSL versions beyond that, it's also possible that Jupyter's settings in terms of allowable SSL connections changed across versions, or that the machines themselves have configurations restricting ciphers and causing a negotiation failure. packet captures are a lot of work though, so let's start by just trying to capture the ssl info on each machine using the python shell commands above if you're skeptical - I have multiple pythons on my laptop because I use pyenv, and here's my output from different pythons
so the system python2 uses openssl, but the system python3 uses Apple's default LibreSSL. the python 3.7 and 3.8 i installed with pyenv use openssl, but the newer 1.1.1i. so there's SSL packages all over the place and it makes a big difference in the handshake |
Thanks @zorn96 JupyterHub 0.9.1 ships with:
Output:
JupyterHub 0.11.1 ships with:
Output:
For future reference, here are the commands I used:
Could you infer what the root cause of the problem is according to the above output? Many thanks, |
ah yeah, I think I have an idea. so it's not a problem with the ldap3 library. something in the jupyter confg is causing SSLv3 to get negotiated (bad cipher suites? old keys/certs? old libraries on the instance hosting it? I can't tell without looking at it, and I'm not a jupyter expert anyway), and the client with newer python is having trouble because SSLv3 cannot be negotiated by default there's sort of 2 paths here:
|
Many thanks @zorn96 Let me report back to jupyterhub/ldapauthenticator#194 and see whether they can help. Best regards, |
Hi, I just wanted to add that all these JupyterHub deployments have been performed with the same OpenStack Magnum tool so the underlying virtual infrastructure is always the same. Best regards, |
Hi again, Sorry, I think it will be most helpful if I paste here the full traceback below:
Does this help? Best regards, |
hi @sebastian-luna-valero - this is definitely not an |
Thank you very much for your help @zorn96 Before closing the issue, I will try to find a solution and report back. |
wanted to add a bit here... Looks like in my case, this is a python 3.10 issue as well. no issues on 3.8 or 3.9, but as soon as I try with 3.10 I get the same error..
|
Hi @dangelsaurus i spoke to this on a more recent issue as well - python 3.10 changes the minimum openssl version default for python, and the newer openssl deprecated a lot of stuff. So this issue you’re seeing is unrelated to the library, and is more of a general python/openssl issue. You could change your python install to use a different system library for ssl, or build your openssl with options to loosen its restrictions to fix this. But that’s all external to python itself really |
HI, Can anybody provide a hint on how to change the Python 3.10 code to work with OpenSSL 1.1.1l provided by the Python install? BTW: I Only want to establish a secure LDAP connection with a server providing a self-signed certificate - This was working with Python 3.8.9 and LibreSSL 2.8.3 Kind regrads Throsten |
hi @tschloesser ! if you want to use older SSL, I believe the way to do it is to create an SSLContext object ( so you'd do something like
(plus any other options you may need around trusted ca paths) and then use that. for info on SSLContext in general, you'll want to look at the python |
Hi Azaria,
the server I try to bind to offers Tls version 1.2 - SSL3 or newer are even disabled.
In my code I changed the Tls object like this:
tls = Tls(validate=ssl.CERT_NONE,version=ssl.PROTOCOL_TLSv1_2)
But I can tray to go with the context object - but in this case I belkive I have to change even more code.
This is what my code looks like and which is workich up to Python 3.8.x:
tls = Tls(validate=ssl.CERT_NONE,version=ssl.PROTOCOL_TLSv1_2, ca_certs_file='/Users/tschloesser/PycharmProjects/pythonProject/CA-cert.b64')
serverURL = ldap3.Server(host=server,port=636,use_ssl=True,tls=tls)
conn = ldap3.Connection(serverURL, user, pwd)
conn.bind()
Kind regards
Thorsten
===========================
Thorsten Schlößer
***@***.***
… Am 28.01.2022KW 4 um 09:09 schrieb Azaria Zornberg ***@***.***>:
hi @tschloesser <https://github.com/tschloesser> ! if you want to use older SSL, I believe the way to do it is to create an SSLContext object (ldap3 supports using these) and specify the protocol version to allow for TLS1.0
so you'd do something like
import ssl
context = ssl.SSLContext(protocol=ssl.PROTOCOL_TLS)
(plus any other options you may need around trusted ca paths) and then use that. for info on SSLContext in general, you'll want to look at the python ssl docs.
—
Reply to this email directly, view it on GitHub <#925 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACLMAKOHK3PHJJDAITB24FDUYJFKNANCNFSM4YH6QXMQ>.
Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you were mentioned.
|
Hi,
I am indirectly using
ldap3
to offer LDAP authentication on a JupyterHub deployment with kubernetes. I am always using the same LDAP server, and I have tested it with the following JupyterHub versions:I found that JupyterHub 0.9.1 with ldap3 version 2.7 works correctly with our LDAP server. However, JupyterHub deployments with ldap3 version 2.8.1 do not work and they throw the following exception:
This issue has been previously reported in:
I am not sure how to help solve this problem, any ideas?
Best regards,
Sebastian
The text was updated successfully, but these errors were encountered: