tlsv1 alert protocol version

[jcderose]

I'm using the hvac package with vault 0.6.1. In my script, I attempt to authenticate against our Vault server with the username/password authentication method:

import hvac

vault_username = "username"
vault_pw = "mypassword"
vault_client.auth_userpass(vault_username, vault_pw)

And I'm getting this error:

$ ./script.py
Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 595, in urlopen
    chunked=chunked)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 352, in _make_request
    self._validate_conn(conn)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 831, in _validate_conn
    conn.connect()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connection.py", line 289, in connect
    ssl_version=resolved_ssl_version)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/util/ssl_.py", line 308, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 377, in wrap_socket
    _context=self)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 752, in __init__
    self.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 988, in do_handshake
    self._sslobj.do_handshake()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/ssl.py", line 633, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/adapters.py", line 423, in send
    timeout=timeout
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/packages/urllib3/connectionpool.py", line 621, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "./script.py", line 33, in <module>
    vault_client.auth_userpass(vault_username, vault_pw)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 481, in auth_userpass
    return self.auth('/v1/auth/{0}/login/{1}'.format(mount_point, username), json=params, use_token=use_token)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 600, in auth
    response = self._post(url, **kwargs).json()
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 643, in _post
    return self.__request('post', url, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/hvac/v1/__init__.py", line 664, in __request
    allow_redirects=False, **_kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/sessions.py", line 475, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/sessions.py", line 596, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Frameworks/Python.framework/Versions/3.5/lib/python3.5/site-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)

I thought it might be a TLS negotiation mismatch between my client and our Vault server but we aren't explicitly blocking/denying requests on TLSv1.

Based on the stack trace, it looks like an issue with my Python installation but I'm able to open other SSL sites in my Python environment without any problems:

$ python
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 26 2016, 10:47:25)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>> requests.get("https://www.howsmyssl.com/a/check")
<Response [200]>

[ianunruh]

I believe Vault only accepts TLS 1.2, which is only in pretty recent versions of OpenSSL. Most HTTPS servers are more lenient, but Vault in particular is pretty picky. I actually ran into this issue on Travis CI in the early days of hvac. What version of OpenSSL do you have installed?

[jcderose]

@ianunruh looks like I'm running OpenSSL 1.0.1t 3 May 2016.

[alexgottscha]

As a workaround, you can set the allowed TLS versions in Vault's configuration.

https://www.vaultproject.io/docs/config/index.html#tls_min_version

[ianunruh]

Well hvac doesn't do anything special on that layer, we just use requests under the hood. I'm guessing that while you have a modern version of OpenSSL installed, Python isn't using it. I think you can check the version with the following.

[~]$ openssl version
OpenSSL 0.9.8zg 14 July 2015

[~]$ python
Python 2.7.10 (default, Mar 19 2016, 01:08:31)
[GCC 4.2.1 Compatible Apple LLVM 7.0.2 (clang-700.1.81)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.2h  3 May 2016'

[jcderose]

@ianunruh , the openssl version I have installed on my laptop is newer than the imported version.

$ openssl version
OpenSSL 1.0.1t  3 May 2016

$ python
Python 3.5.2 (v3.5.2:4def2a2901a5, Jun 26 2016, 10:47:25)
[GCC 4.2.1 (Apple Inc. build 5666) (dot 3)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8zh 14 Jan 2016'

I assume (naively) that the version installed on my laptop will be used rather than the imported version (if I don't explicitly import the ssl package in my script)?

[TerryHowe]

I agree with @invertigo the best solution is set that tls_min_version. I'm using tls_min_version = "tls10"

There are some work arounds and more discussion here that might help:
https://github.com/kennethreitz/requests/issues/1847

[jcderose]

I realize this is a beginner question, but how do I restart the Vault server once I add the tls_min_version to its config file? I tried sudo vault server -config /etc/vault.d/config.hcl but that command just barked that the server's listener address is already in use (since the Vault server is already running and listening on that address).

[TerryHowe]

Maybe something like

sudo -i
ps -eaf | grep vault
kill -9 _vault_pid_
vault server -config /etc/vault.d/config.hcl

Really ought to get your self an init scri[t so it can be more like service vault restart

[jcderose]

Just to confirm, adding tls_min_version = "tls10" to my listener worked.

[alexgottscha]

Keep in mind that TLS1.0 does have multiple severe vulnerabilities. It
should only be used in a testing environment if at all possible.

https://www.kb.cert.org/vuls/id/864643

https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/

On Mon, Sep 12, 2016 at 12:36 PM, Jesse DeRose notifications@github.com
wrote:

Just to confirm, adding tls_min_version = "tls10" to my listener worked.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#75 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAXzXt7KNLNHlbyOa1Jd9FqvvmHGVCWOks5qpanAgaJpZM4JxC89
.

[jcderose]

If the solution suggested above has multiple severe vulnerabilities, shouldn't I make changes to my setup on the hvac client side (not the Vault server side)? Is there no way to tell my hvac client to use TLS v1.2 (if my Vault server is also using TLS v1.2)?

[alexgottscha]

Your HVAC client is not able to use TLS 1.2, or it would have been able to
use vault's API gateway without modifications. You might have an
out-of-date OpenSSL library.

On Mon, Sep 12, 2016 at 2:26 PM, Jesse DeRose notifications@github.com
wrote:

If the solution suggested above has multiple severe vulnerabilities,
shouldn't I make changes to my setup on the hvac client side (not the Vault
server side)? Is there no way to tell my hvac client to use TLS v1.2 (if my
Vault server is also using TLS v1.2)?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#75 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAXzXqhI9u3BQb-zcr24dsXZqIT6voJ1ks5qpcOSgaJpZM4JxC89
.

[alexgottscha]

You might have an out-of-date OpenSSL library

On your client, that is.

On Mon, Sep 12, 2016 at 3:10 PM, Alex Gottschalk alex.gottschalk@gmail.com
wrote:

Your HVAC client is not able to use TLS 1.2, or it would have been able to
use vault's API gateway without modifications. You might have an
out-of-date OpenSSL library.

On Mon, Sep 12, 2016 at 2:26 PM, Jesse DeRose notifications@github.com
wrote:

If the solution suggested above has multiple severe vulnerabilities,
shouldn't I make changes to my setup on the hvac client side (not the Vault
server side)? Is there no way to tell my hvac client to use TLS v1.2 (if my
Vault server is also using TLS v1.2)?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#75 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAXzXqhI9u3BQb-zcr24dsXZqIT6voJ1ks5qpcOSgaJpZM4JxC89
.

[jcderose]

Thanks, @invertigo. My client's running OpenSSL 1.0.1t 3 May 2016. I thought this version is sufficient for TLS 1.2?

[TerryHowe]

Exactly, the Python 2.7 SSL library does an improper job of negotiating the
connection as stated in the discussion in the requests project I posted
earlier.

All I know is setting tls_min_version to tls10 works, maybe try tls12.

On Mon, Sep 12, 2016 at 4:10 PM, Alex Gottschalk notifications@github.com
wrote:

Your HVAC client is not able to use TLS 1.2, or it would have been able to
use vault's API gateway without modifications. You might have an
out-of-date OpenSSL library.

On Mon, Sep 12, 2016 at 2:26 PM, Jesse DeRose notifications@github.com
wrote:

If the solution suggested above has multiple severe vulnerabilities,
shouldn't I make changes to my setup on the hvac client side (not the
Vault
server side)? Is there no way to tell my hvac client to use TLS v1.2 (if
my
Vault server is also using TLS v1.2)?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#75 (comment), or
mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAXzXqhI9u3BQb-
zcr24dsXZqIT6voJ1ks5qpcOSgaJpZM4JxC89>
.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#75 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAGWsc61V4gtweVgwmuvWst2GaPc_cWbks5qpc3RgaJpZM4JxC89
.

[jcderose]

@TerryHowe I'm using Python 3.5.2 and OpenSSL 1.0.1t 3 May 2016 on the client side with tls_min_version = 'tls12' on the server side.

[TerryHowe]

Ha @jcderose sorry I'm doing a bad job at reading!

[jcderose]

I'm trying to implement the workaround described in the SSLAdapter and the SSL library but I keep getting this error:

>>> from requests_toolbelt import SSLAdapter
>>> import requests
>>> import ssl
>>> s = requests.Session()
>>> s.mount('https://', SSLAdapter(ssl.PROTOCOL_TLS))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
AttributeError: module 'ssl' has no attribute 'PROTOCOL_TLS'

[jcderose]

@ianunruh is the SSLAdapter the easiest way to force Python to use a newer version of OpenSSL? Or do you suggest another alternative?

[ianunruh]

@jcderose So, the root of the problem is that your Python was compiled with an older version of OpenSSL that does not support TLS 1.2. Even though you have a newer version of OpenSSL installed on your system, Python will not use it. The "right way" to fix this would be to recompile Python with a newer version of OpenSSL or install a newer version of Python (possibly from a different source). This will vary wildly depending on your OS/distro. What are you running your code on?

Personally, I use OS X El Capitan. For my Python environment I use pyenv (https://github.com/yyuu/pyenv). If you have Homebrew, getting a new version of Python is as easy as the following.

brew update
brew install pyenv

echo 'eval "$(pyenv init -)"' >> .bashrc
source .bashrc

pyenv install 3.5.2
pyenv global 3.5.2

python --version
python -c 'import ssl; print ssl.OPENSSL_VERSION'

I believe TLS 1.2 support was added in OpenSSL 1.0.1, but you may want to verify that.

[jcderose]

Installing (and using) pyenv instead of the local system Python (or even the brew'ed version of Python) worked. Thank you!

[otakup0pe]

Open to suggestions on an appropriate way to handle this error.... Maybe just catch it and say "upgrade openssl plz" ❓