tlsv1 alert protocol version on 1.7.1 and 1.7.2 but not on 1.7.0

[benjixx]

Similar to #949 I'm discovering issues with latest versions of docker-py running against docker 1.10.2 instance. I'm using docker.utils.kwargs_from_env(assert_hostname=False). Things work fine with version 1.7.0.

Docker client is initialized via

client = docker.Client(
    version='auto',
    **docker.utils.kwargs_from_env(assert_hostname=False))

with docker environment variables being set to the following (via docker-machine)

DOCKER_HOST=tcp://192.168.156.137:2376
DOCKER_MACHINE_NAME=dev2
DOCKER_TLS_VERIFY=1
DOCKER_CERT_PATH=/Users/benjixx/.docker/machine/machines/dev2

docker-py 1.7.1 and 1.7.2 now raise the following exception:

DockerException: Error while fetching server API version: [Errno 1] _ssl.c:507: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

Any idea what's happening here?

[shin-]

What happens if you unset DOCKER_TLS_VERIFY?

[benjixx]

@shin- Just tested again with docker-py 1.7.2 and unset DOCKER_TLS_VERIFY, so that docker environment variables were:

DOCKER_HOST=tcp://192.168.156.137:2376
DOCKER_MACHINE_NAME=dev2
DOCKER_CERT_PATH=/Users/benjixx/.docker/machine/machines/dev2

But, I'm still seeing the same exception:

DockerException: Error while fetching server API version: [Errno 1] _ssl.c:507: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

[thieman]

I can confirm I'm seeing the same pattern on one of the two Macs I'm running this on currently. Not sure what difference might matter, but the one exhibiting the broken behavior is on 10.10 and the newer docker-py versions are working on my box with 10.11.

[benjixx]

I'm running latest Mac OS X 10.11.3 and have the problem, so I doubt it's directly related to the OS version.

[shin-]

Could you run the following code snippet to help pinpoint the issue, and post the output here?

import docker
import ssl

protocols = [
    'PROTOCOL_SSLv23', 'PROTOCOL_TLSv1', 'PROTOCOL_TLSv1_1', 'PROTOCOL_TLSv1_2'
]

kwargs = docker.utils.kwargs_from_env(assert_hostname=False)
client = docker.Client(**kwargs)
tls_config = kwargs['tls']

for proto in protocols:
    if not hasattr(ssl, proto):
        print('Protocol {0} not found in SSL protocol list'.format(proto))
    tls_config.ssl_version = getattr(ssl, proto)
    tls_config.configure_client(client)
    try:
        client.version()
        print('Successful connection with protocol {0}'.format(proto))
    except Exception as e:
        print('Connection error with protocol {0}: "{1}"'.format(proto, e))

[benjixx]

@shin- Here's the requested output:

/Users/benjixx/src/goodplay/.tox/py27-ansible20/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/Users/benjixx/src/goodplay/.tox/py27-ansible20/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Connection error with protocol PROTOCOL_SSLv23: "[Errno 1] _ssl.c:507: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version"
/Users/benjixx/src/goodplay/.tox/py27-ansible20/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Successful connection with protocol PROTOCOL_TLSv1
Protocol PROTOCOL_TLSv1_1 not found in SSL protocol list
Traceback (most recent call last):
  File "dockersnippet.py", line 15, in <module>
    tls_config.ssl_version = getattr(ssl, proto)
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_1'

[thieman]

Seeing the same thing on my box exhibiting the problem

/private/var/root/venv/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:315: SNIMissingWarning: An HTTPS request has been made, but the SNI (Subject Name Indication) extension to TLS is not available on this platform. This may cause the server to present an incorrect TLS certificate, which can cause validation failures. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#snimissingwarning.
  SNIMissingWarning
/private/var/root/venv/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Connection error with protocol PROTOCOL_SSLv23: "[Errno 1] _ssl.c:507: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version"
/private/var/root/venv/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Connection error with protocol PROTOCOL_TLSv1: "[Errno 1] _ssl.c:507: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
Protocol PROTOCOL_TLSv1_1 not found in SSL protocol list
Traceback (most recent call last):
  File "<stdin>", line 4, in <module>
AttributeError: 'module' object has no attribute 'PROTOCOL_TLSv1_1'

Might be a slight error in the script, on my box which works fine with the newer docker-py versions I get the following:

Connection error with protocol PROTOCOL_SSLv23: "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)"
Connection error with protocol PROTOCOL_TLSv1: "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)"
Connection error with protocol PROTOCOL_TLSv1_1: "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)"
Connection error with protocol PROTOCOL_TLSv1_2: "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:581)"

[thieman]

FWIW this is the code I run normally to get a client, this client works fine on my good box with 1.7.1+

def get_docker_client():
    """Ripped off and slightly modified based on docker-py's
    kwargs_from_env utility function."""
    env = get_docker_env() # this populates based off docker-machine env
    host, cert_path, tls_verify = env['DOCKER_HOST'], env['DOCKER_CERT_PATH'], env['DOCKER_TLS_VERIFY']

    params = {'base_url': host.replace('tcp://', 'https://'),
              'timeout': None,
              'version': 'auto'}
    if tls_verify and cert_path:
        params['tls'] = docker.tls.TLSConfig(
            client_cert=(os.path.join(cert_path, 'cert.pem'),
                         os.path.join(cert_path, 'key.pem')),
            ca_cert=os.path.join(cert_path, 'ca.pem'),
            verify=True,
            ssl_version=None,
            assert_hostname=False)
    return docker.Client(**params)

[thieman]

Trying to dump any info which might be relevant: my working box is using Python 2.7.9, non-working box is on 2.7.6. I think there were big changes to the SSL module in 2.7.9?

[benjixx]

My non-working box is running Python 2.7.6 as well. This should be the default Python version running on latest official Mac OS X, so would be great to have it working there as well.

[thieman]

I realize nobody's said anything to the contrary yet but I agree, requiring 2.7.9+ would be a huge inconvenience. Hopefully we can restore functionality for 2.7.0+.

[shin-]

Hmm, that's interesting. Python doc says PROTOCOL_SSLv23 selects the highest protocol supported by both server and client, but it seems to be causing issues for you.

Connection error with protocol PROTOCOL_SSLv23: "[Errno 1] _ssl.c:507: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version"

PROTOCOL_TLSv1 seems to work fine however.

[benjixx]

BTW, looking at the commit log of the Python ssl module for Python 2.7.x it seems the module attribute PROTOCOL_TLSv1_1 and PROTOCOL_TLSv1_2 have been introduced at least after version 2.7.6 (according to the commit date).

[shin-]

A workaround for now would be to call kwargs_from_env with ssl_version=ssl.PROTOCOL_TLSv1 set.

[thieman]

I can try that tomorrow and let you know if it works

[shin-]

That'd be great. If you can give #971 a spin as well and tell me how it behaves for you , that's even better. 👍 thanks!

[tatsushid]

Hi, I had an issue with docker-compose originated in the problem discussed here and tried the fix #971. It works, thanks!

[benjixx]

@shin- Bugfix PR #971 is working fine for me. Thanks for getting this fixed so quickly.

So, is going to land in PyPI together with release 1.8.0 in mid of March? Or are you still considering this for an earlier 1.7.3 release?

[thieman]

I can confirm that both the ssl_version=ssl.PROTOCOL_TLSv1 workaround and #971 work for me.

This is a major regression, right, if we think it's broken all versions < 2.7.9? What are the reasons to not get the fix out as 1.7.3?

[shin-]

The issue can be worked around by passing an explicit ssl_version, so I don't think it calls for a patch version, especially considering 1.8.0 isn't too far out.

[adamdecaf]

What would be the steps to build and use the master branch for this fix? I'm currently unable to use docker-compose because of this.

[benjixx]

@adamdecaf You should be able to install master branch via pip like so:

pip install git+https://github.com/docker/docker-py.git@master#egg=docker-py

[adamdecaf]

@benjixx I'm not seeing that having done anything to have docker-compose see the updated version.

Do you know of a timeline for docker-py and docker-compose releases fixes for this change?

adam@Planet-X -- ~:  pip install git+https://github.com/docker/docker-py.git@master#egg=docker-py
Requirement already satisfied (use --upgrade to upgrade): docker-py from git+https://github.com/docker/docker-py.git@master#egg=docker-py in /usr/local/lib/python2.7/site-packages
Requirement already satisfied (use --upgrade to upgrade): requests>=2.5.2 in /usr/local/lib/python2.7/site-packages (from docker-py)
Requirement already satisfied (use --upgrade to upgrade): six>=1.4.0 in /usr/local/lib/python2.7/site-packages (from docker-py)
Requirement already satisfied (use --upgrade to upgrade): websocket-client>=0.32.0 in /usr/local/lib/python2.7/site-packages (from docker-py)

adam@Planet-X -- ~:  pip install --upgrade git+https://github.com/docker/docker-py.git@master#egg=docker-py
Collecting docker-py from git+https://github.com/docker/docker-py.git@master#egg=docker-py
  Cloning https://github.com/docker/docker-py.git (to master) to /private/var/folders/g2/6ccx3pj11rzcwwbwyqzs8n8w0000gn/T/pip-build-csDu5t/docker-py
Collecting requests>=2.5.2 (from docker-py)
  Using cached requests-2.9.1-py2.py3-none-any.whl
Collecting six>=1.4.0 (from docker-py)
  Downloading six-1.10.0-py2.py3-none-any.whl
Requirement already up-to-date: websocket-client>=0.32.0 in /usr/local/lib/python2.7/site-packages (from docker-py)
Installing collected packages: requests, six, docker-py
  Found existing installation: requests 2.7.0
    Uninstalling requests-2.7.0:
      Successfully uninstalled requests-2.7.0
  Found existing installation: six 1.9.0
    Uninstalling six-1.9.0:
      Successfully uninstalled six-1.9.0
  Found existing installation: docker-py 1.8.0.dev0
    Uninstalling docker-py-1.8.0.dev0:
      Successfully uninstalled docker-py-1.8.0.dev0
  Running setup.py install for docker-py ... done
Successfully installed docker-py-1.8.0.dev0 requests-2.9.1 six-1.10.0

adam@Planet-X -- ~:  pip show docker-py
---
Metadata-Version: 1.1
Name: docker-py
Version: 1.8.0.dev0
Summary: Python client for Docker.
Home-page: https://github.com/docker/docker-py/
Author: UNKNOWN
Author-email: UNKNOWN
License: UNKNOWN
Location: /usr/local/lib/python2.7/site-packages
Requires: requests, six, websocket-client
Classifiers:
  Development Status :: 4 - Beta
  Environment :: Other Environment
  Intended Audience :: Developers
  Operating System :: OS Independent
  Programming Language :: Python
  Programming Language :: Python :: 2.6
  Programming Language :: Python :: 2.7
  Programming Language :: Python :: 3.3
  Programming Language :: Python :: 3.4
  Topic :: Utilities
  License :: OSI Approved :: Apache Software License

adam@Planet-X -- ~:  docker-compose version
docker-compose version 1.6.2, build unknown
docker-py version: 1.7.2
CPython version: 2.7.5
OpenSSL version: OpenSSL 0.9.8zg 14 July 2015

adam@Planet-X -- ~:  big ps
         run  docker-compose -f /Users/adam/src/banno/big/current-compose.yml ps from "./src/banno/big"
/Library/Python/2.7/site-packages/requests-2.7.0-py2.7.egg/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
ERROR: SSL error: [Errno 1] _ssl.c:504: error:1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version
/Users/adam/src/banno/big/lib/big_helper.rb:9:in `run!': 'docker-compose -f /Users/adam/src/banno/big/current-compose.yml ps' failed with exit code: pid 40596 exit 1 (RuntimeError)
    from /Users/adam/src/banno/big/lib/big_helper.rb:153:in `block in docker_compose'
    from /usr/local/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/actions.rb:184:in `block in inside'
    from /usr/local/Cellar/ruby/2.3.0/lib/ruby/2.3.0/fileutils.rb:128:in `chdir'
    from /usr/local/Cellar/ruby/2.3.0/lib/ruby/2.3.0/fileutils.rb:128:in `cd'
    from /usr/local/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/actions.rb:184:in `inside'
    from /Users/adam/src/banno/big/lib/big_helper.rb:148:in `docker_compose'
    from /Users/adam/bin/big:208:in `ps'
    from /usr/local/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/command.rb:27:in `run'
    from /usr/local/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/invocation.rb:126:in `invoke_command'
    from /usr/local/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor.rb:359:in `dispatch'
    from /usr/local/lib/ruby/gems/2.3.0/gems/thor-0.19.1/lib/thor/base.rb:440:in `start'
    from /Users/adam/bin/big:329:in `<main>'

[benjixx]

@adamdecaf Could it be that docker-compose is installed in a separate environment? I can see different paths in your provided output: /Library/Python/2.7/site-packages and /usr/local/lib/python2.7/site-packages. Probably you have installed docker-compose via another method.

I would suggest you try to create a new Python virtualenv together with the latest docker-compose and docker-py@master, and give this a try.

[adamdecaf]

@benjixx An upgrade of the underlying python version (from an upgrade to 10.11) seems to have fixed the issue. I'm on python 2.7.10 now

[thieman]

Does anyone know whether the latest binary released by Compose works on pre-2.7.9 systems?

[tatsushid]

It may be a little different environment from @thieman mentioned but I tested the #971 patch with Python 2.7.5 on MacOS 10.9.5. I'm using docker-compose installed by Homebrew so I manually applied the patch to /usr/local/opt/docker-compose/libexec/vendor/lib/python2.7/site-packages/docker/tls.py. It works.