New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tlsv1 alert protocol version #75
Comments
I believe Vault only accepts TLS 1.2, which is only in pretty recent versions of OpenSSL. Most HTTPS servers are more lenient, but Vault in particular is pretty picky. I actually ran into this issue on Travis CI in the early days of hvac. What version of OpenSSL do you have installed? |
@ianunruh looks like I'm running |
As a workaround, you can set the allowed TLS versions in Vault's configuration. https://www.vaultproject.io/docs/config/index.html#tls_min_version |
Well hvac doesn't do anything special on that layer, we just use requests under the hood. I'm guessing that while you have a modern version of OpenSSL installed, Python isn't using it. I think you can check the version with the following.
|
@ianunruh , the openssl version I have installed on my laptop is newer than the imported version.
I assume (naively) that the version installed on my laptop will be used rather than the imported version (if I don't explicitly import the ssl package in my script)? |
I agree with @invertigo the best solution is set that tls_min_version. I'm using tls_min_version = "tls10" There are some work arounds and more discussion here that might help: |
I realize this is a beginner question, but how do I restart the Vault server once I add the |
Maybe something like
Really ought to get your self an init scri[t so it can be more like |
Just to confirm, adding |
Keep in mind that TLS1.0 does have multiple severe vulnerabilities. It https://www.kb.cert.org/vuls/id/864643 https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/ On Mon, Sep 12, 2016 at 12:36 PM, Jesse DeRose notifications@github.com
|
If the solution suggested above has multiple severe vulnerabilities, shouldn't I make changes to my setup on the hvac client side (not the Vault server side)? Is there no way to tell my hvac client to use TLS v1.2 (if my Vault server is also using TLS v1.2)? |
Your HVAC client is not able to use TLS 1.2, or it would have been able to On Mon, Sep 12, 2016 at 2:26 PM, Jesse DeRose notifications@github.com
|
On your client, that is. On Mon, Sep 12, 2016 at 3:10 PM, Alex Gottschalk alex.gottschalk@gmail.com
|
Thanks, @invertigo. My client's running |
Exactly, the Python 2.7 SSL library does an improper job of negotiating the All I know is setting tls_min_version to tls10 works, maybe try tls12. On Mon, Sep 12, 2016 at 4:10 PM, Alex Gottschalk notifications@github.com
|
@TerryHowe I'm using |
Ha @jcderose sorry I'm doing a bad job at reading! |
I'm trying to implement the workaround described in the SSLAdapter and the SSL library but I keep getting this error:
|
@ianunruh is the SSLAdapter the easiest way to force Python to use a newer version of OpenSSL? Or do you suggest another alternative? |
@jcderose So, the root of the problem is that your Python was compiled with an older version of OpenSSL that does not support TLS 1.2. Even though you have a newer version of OpenSSL installed on your system, Python will not use it. The "right way" to fix this would be to recompile Python with a newer version of OpenSSL or install a newer version of Python (possibly from a different source). This will vary wildly depending on your OS/distro. What are you running your code on? Personally, I use OS X El Capitan. For my Python environment I use pyenv (https://github.com/yyuu/pyenv). If you have Homebrew, getting a new version of Python is as easy as the following.
I believe TLS 1.2 support was added in OpenSSL 1.0.1, but you may want to verify that. |
Installing (and using) |
Open to suggestions on an appropriate way to handle this error.... Maybe just catch it and say "upgrade openssl plz" ❓ |
…orks/OpenColorIO failed Trying several thing in a fork and finally found that using pyenv as suggested in hvac/hvac#75 worked. Validate that all builds are now passing on my fork.
…orks/OpenColorIO failed Trying several thing in a fork and finally found that using pyenv as suggested in hvac/hvac#75 worked. Validate that all builds are now passing on my fork.
I'm using the hvac package with vault 0.6.1. In my script, I attempt to authenticate against our Vault server with the username/password authentication method:
And I'm getting this error:
I thought it might be a TLS negotiation mismatch between my client and our Vault server but we aren't explicitly blocking/denying requests on TLSv1.
Based on the stack trace, it looks like an issue with my Python installation but I'm able to open other SSL sites in my Python environment without any problems:
The text was updated successfully, but these errors were encountered: