Openssl-version dont have X25519

[kennedyshead]

Home Assistant release with the issue:

0.86.0b3

Operating environment (HassOS/Generic):

Docker raspberrypi3-homeassistant

Supervisor logs:

2019-01-23 16:07:24 ERROR (MainThread) [homeassistant.setup] Error during setup of component asuswrt
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/homeassistant/setup.py", line 145, in _async_setup_component
    hass, processed_config)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/asuswrt.py", line 61, in async_setup
    await api.connection.async_connect()
  File "/usr/local/lib/python3.6/site-packages/aioasuswrt/connection.py", line 66, in async_connect
    self._client = await asyncssh.connect(self._host, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/misc.py", line 182, in __await__
    return (yield from self._coro)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 5454, in connect
    conn, _ = yield from create_connection(None, host, port, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 5110, in create_connection
    yield from auth_waiter
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 627, in data_received
    while self._inpbuf and self._recv_handler():
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 847, in _recv_packet
    processed = handler.process_packet(pkttype, seq, packet)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/packet.py", line 215, in process_packet
    self._packet_handlers[pkttype](self, pkttype, pktid, packet)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 1414, in _process_kexinit
    self._kex = get_kex(self, kex_alg)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/kex.py", line 122, in get_kex
    return handler(alg, conn, hash_alg, *args)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/kex_ecdh.py", line 47, in __init__
    self._priv = ecdh_class(*args)
  File "/usr/local/lib/python3.6/site-packages/asyncssh/crypto/curve25519.py", line 31, in __init__
    self._priv_key = x25519.X25519PrivateKey.generate()
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in generate
    _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
cryptography.exceptions.UnsupportedAlgorithm: X25519 is not supported by this version of OpenSSL.

Description of problem:
There seems to be a problem with the openssl version.
home-assistant/core#20361

[bereska]

0.86.1 does not support it X25519, either

[Jc2k]

Hi - this is happening for homekit_controller as well. I've dug into it a bit there. I didn't catch the problem because i use the home-assistant/home-assistant Docker image, not the HASS.io ones.

Ultimately cryptography==2.3.1 installed correctly as preferred by upstream SHOULD have X25519 support. It works on Mac, it works on Raspbian (on an original raspberry pi), it works on Debian, it works on Ubuntu). And, all versions after 2.0.0 (released 2017-07-17) support it, if installed from wheels (which is obviously the problem).

Full run through - sorry if its teaching anyone to suck eggs.

• On Debian, Ubuntu and Raspbian, it would by default install a manylinux1 wheel version of cryptography that has a modern version of openssl baked in. This will be a version that the cryptography team has tested with that particular release. All the features are available in that case. Obviously this does not work on Alpine because of musl.

• On Ubuntu 18.04 and Debian Stretch or similiar, if for some reason an sdist of cryptography was used it would also still work. This is because both of those releases have a modern version of OpenSSL.

• Alpine 3.8 has an old version of openssl and no support for the wheels provided by the python community. So we are unlucky on 2 different fronts. This means features get turned off. So even though the right version of cryptography is installed, it still doesn't work. Note that this version of OpenSSL actaully goes out of support later this year, as it happens.

Unfortunately even if this code was exercised in CI, CI is Ubuntu based so we can't catch errors like this before they bite an actual release.

Cryptography recommend that you use the wheel wherever possible as it means they are able to ship a secure (and functional) implementation to you in a timely fashion, but this is obviously not possible on Alpine (musl libc versus glibc means no upstream provided wheels).

This particular example of the issue will go away by itself when HASS.io starts to use Alpine 3.9 (which is about to be released 'soon'). At that point cryptography will be compiled against openssl 1.1.1. However the underlying disconnect between cryptography on Ubuntu/Debian/Raspbian vs cryptography on Alpine will remain and will likely bite in the future in other ways.

I will happily put together a PR to build cryptography as documented by upstream in the Docker images if this is usefu/desiredl and someone can point me at the right Dockerfiles.

[craigcarps]

Hass.IO 86.3 with ASUSWRT doesnt work with SSH or Telnet, hopefully gets resolved in 86.4

Telnet Error Logging:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/homeassistant/setup.py", line 145, in _async_setup_component
hass, processed_config)
File "/usr/local/lib/python3.6/site-packages/homeassistant/components/asuswrt.py", line 61, in async_setup
await api.connection.async_connect()
File "/usr/local/lib/python3.6/site-packages/aioasuswrt/connection.py", line 113, in async_connect
await self._reader.readuntil(b'login: ')
File "/usr/local/lib/python3.6/asyncio/streams.py", line 578, in readuntil
raise IncompleteReadError(chunk, None)
asyncio.streams.IncompleteReadError: 458 bytes read on a total of None expected bytes

[liquid667]

Still not solved with hassio 86.4

2019-01-31 21:27:26 ERROR (MainThread) [homeassistant.setup] Error during setup of component asuswrt
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/homeassistant/setup.py", line 145, in _async_setup_component
hass, processed_config)
File "/usr/local/lib/python3.6/site-packages/homeassistant/components/asuswrt.py", line 61, in async_setup
await api.connection.async_connect()
File "/usr/local/lib/python3.6/site-packages/aioasuswrt/connection.py", line 66, in async_connect
self._client = await asyncssh.connect(self._host, **kwargs)
File "/usr/local/lib/python3.6/site-packages/asyncssh/misc.py", line 182, in await
return (yield from self._coro)
File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 5454, in connect
conn, _ = yield from create_connection(None, host, port, **kwargs)
File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 5110, in create_connection
yield from auth_waiter
File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 627, in data_received
while self._inpbuf and self._recv_handler():
File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 847, in _recv_packet
processed = handler.process_packet(pkttype, seq, packet)
File "/usr/local/lib/python3.6/site-packages/asyncssh/packet.py", line 215, in process_packet
self._packet_handlers[pkttype](self, pkttype, pktid, packet)
File "/usr/local/lib/python3.6/site-packages/asyncssh/connection.py", line 1414, in _process_kexinit
self._kex = get_kex(self, kex_alg)
File "/usr/local/lib/python3.6/site-packages/asyncssh/kex.py", line 122, in get_kex
return handler(alg, conn, hash_alg, *args)
File "/usr/local/lib/python3.6/site-packages/asyncssh/kex_ecdh.py", line 47, in init
self._priv = ecdh_class(*args)
File "/usr/local/lib/python3.6/site-packages/asyncssh/crypto/curve25519.py", line 31, in init
self._priv_key = x25519.X25519PrivateKey.generate()
File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in gener
ate
_Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
cryptography.exceptions.UnsupportedAlgorithm: X25519 is not supported by this version of OpenSSL.

[arsaboo]

Should be fixed in next release

[lamboid]

go go go please

[mxwlsavard]

Will this be fixed for HomeKit Controller as well? Sorry for asking, I just sat down at my PC to report this issue with the HomeKit controller when I found this issue. Thanks! 😄

[furiaceka87]

any news about this issue?

[kennedyshead]

Will this be fixed for HomeKit Controller as well? Sorry for asking, I just sat down at my PC to report this issue with the HomeKit controller when I found this issue. Thanks! 😄

Yes, it will get solved for both platforms with this.

[Gunth]

I still have this issue for HomeKit Controller with the new release 87.0

[quarcko]

For me it is strange, homekit_controller is working fine up to 0.86.4
but after installing 0.87 - boom, OpenSSL version is bad..
reverted back to 0.86.4 - working again.

[bereska]

I'm happy to confirm that asuswrt now works in 0.87.0

[Jc2k]

The version of OpenSSL in hass.io has always been "bad", its just that more and more python code in the wild is starting to expect OpenSSL to be up to date.

For the asuswrt people there was a workaround to avoid using HASS.io OpenSSL at all for X25519. This means that one of the libraries is pinned at an old version - so currently blocked from security updates. The underlying problem is still there, just hidden. Hopefully HASS.io will use Alpine 3.9 before we have to choose between fixing a security bug and letting asuswrt work for HASS.io users 😱

There's no easy workaround for homekit_controller other than to not use HASS.io or to wait for it to upgrade to Alpine 3.9. (The non-hass.io Docker instructions should work, as should the venv instructions).

[niemyjski]

I'm also seeing this with the homekit_controller in hassio 0.87.0

2019-02-07 18:11:38 ERROR (MainThread) [homeassistant.core] Error doing job: Future exception was never retrieved
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/concurrent/futures/thread.py", line 56, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/homekit_controller/__init__.py", line 362, in discovery_dispatch
    device = HKDevice(hass, host, port, model, hkid, config_num, config)
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/homekit_controller/__init__.py", line 98, in __init__
    self.accessory_setup()
  File "/usr/local/lib/python3.6/site-packages/homeassistant/components/homekit_controller/__init__.py", line 112, in accessory_setup
    data = self.pairing.list_accessories_and_characteristics()
  File "/usr/local/lib/python3.6/site-packages/homekit/controller.py", line 272, in list_accessories_and_characteristics
    self.session = Session(self.pairing_data)
  File "/usr/local/lib/python3.6/site-packages/homekit/controller.py", line 604, in __init__
    c2a_key, a2c_key = get_session_keys(conn, pairing_data)
  File "/usr/local/lib/python3.6/site-packages/homekit/protocol/__init__.py", line 247, in get_session_keys
    ios_key = x25519.X25519PrivateKey.generate()
  File "/usr/local/lib/python3.6/site-packages/cryptography/hazmat/primitives/asymmetric/x25519.py", line 39, in generate
    _Reasons.UNSUPPORTED_EXCHANGE_ALGORITHM
cryptography.exceptions.UnsupportedAlgorithm: X25519 is not supported by this version of OpenSSL.

[Snoemannen]

This just happened to me as well for homekit_controller when I upgraded hassio (running in docker on an ubuntu server) from 0.86.4 to 0.87.0 last night.

Would it be possible to just roll back to 0.86.4 until this has been fixed?

[quarcko]

I just did wipe and restore last snapshot. Worker a treat. ⁣Sent from BlueMail ​

…

On Feb 9, 2019, 09:34, at 09:34, Jens Westerlund ***@***.***> wrote: This just happened to me as well for homekit_controller when I upgraded hassio (running in docker on an ubuntu server) from 0.86.4 to 0.87.0 last night. Would it be possible to just roll back to 0.86.4 until this has been fixed? -- You are receiving this because you commented. Reply to this email directly or view it on GitHub: #903 (comment)

[niemyjski]

Are there any updates for this? I'd love to get this working.

[Jc2k]

I think this issue can be closed now - see #914.

@kennedyshead interest.