Introduce support for TLS #556
Conversation
ncclient/transport/tls.py
Outdated
| if certfile is None: | ||
| raise TLSError('Missing client certificate file') | ||
|
|
||
| ssl_context = SSLContext(PROTOCOL_TLSv1_2) |
There was a problem hiding this comment.
Hi, it seems like the PROTOCOL_TLSv* are getting deprecated in 3.6.
The docs suggests to use the PROTOCOL_TLS_CLIENT flag.
This change will bump the TLS support to v3.6+ Python only. To keep the support for v2.7, one has to use PROTOCOL_TLS, but that won't work with the v3.10.
My small proposal is to do a conditional import or add another mandatory protocol argument to the TLSSession.connect method.
There was a problem hiding this comment.
Thanks for the tip! I'll address this issue in the next iteration of the PR.
There was a problem hiding this comment.
Any chance you'll able to address those changes any time soon?
I would like to help you, but I'm not sure if I can push to (or somehow edit) this pull-request as I'm not maintainer of this repository.
There was a problem hiding this comment.
I was hoping to collect all the feedback before making further code changes. @einarnn, could you have a look at the PR?
There was a problem hiding this comment.
@ivandkhn , I've started reviewing!
There was a problem hiding this comment.
@nthe, I've updated handling of TLS protocol version as you've suggested with a new protocol argument.
ncclient/transport/__init__.py
Outdated
| from ncclient.transport.errors import * | ||
|
|
||
| __all__ = [ | ||
| 'Session', | ||
| 'SessionListener', | ||
| 'SSHSession', | ||
| 'TLSSession' |
There was a problem hiding this comment.
The comma is missing at the end of the line.
ncclient/transport/tls.py
Outdated
| raise TLSError('CA certificate file not found') | ||
|
|
||
| sock = socket.socket(AF_INET, SOCK_STREAM) | ||
| ssl_sock = ssl_context.wrap_socket(sock, do_handshake_on_connect=False) |
There was a problem hiding this comment.
When user chooses to use PROTOCOL_TLS_CLIENT protocol, it automatically enables the hostname checking (sets SSLContext.check_hostname to True). With checking enabled, the wrap_socket method expects server_hostname argument, which is usually same as the host, but might be useful to have it as an separate argument which defaults to host value when not provided (jumphost, or port-forwarding).
Something like
def connect(self, ..., server_hostname=None):
and then
ssl_sock = ssl_context.wrap_socket(sock, do_handshake_on_connect=False, server_hostname=(server_hostname or host)
There was a problem hiding this comment.
Ok, added it! This also gave me an idea to introduce check_hostname parameter to disable (or enable) hostname checking in the first place, because before it was explicitly disabled.
|
@ivandkhn, there are a whole bunch of errors like this: Please tidy those up so we can get a clean run of existing tests. I'll continue the review once all tests run clean. |
ivandkhn
force-pushed
the
introduce-tls-support
branch
from
41cce4f
to
6336e2a
Compare
My bad, wrong module name. The tests run now in my local environment, hope they will run in CI pipeline as well. |
|
Hi @einarnn, could we ask you for another round of review? |
|
@ivandkhn -- could you take a look at the CI results? https://github.com/ncclient/ncclient/actions/runs/3659536172 There is a failure with Python 3.5, and I would prefer if we were able to continue supporting 3.5 if possible. I will still try to review the code this weekend. |
|
@einarnn I see, I’ll look into that and will fix the problem. |
Make run() loop independent of underlying transport so that it can be shared between SSH/TLS implementations. Signed-off-by: Ivan Dakhnenko <ivan.dakhnenko@siemens.com>
RFC 5539 introduced NETCONF-over-TLS back in 2009. Recently, we've seen more interest in using TLS instead of SSH for NETCONF (IEEE 60802). This patch introduces initial implementation of such communication. See ncclient#271, ncclient#421, ncclient#417 Signed-off-by: Ivan Dakhnenko <ivan.dakhnenko@siemens.com>
We use here the same key/certificate test files as in netopeer2: https://github.com/CESNET/netopeer2/tree/v0.7-r2/server/configuration/tls This makes it easier to re-use these files for hardware tests, since they are included in netopeer2-server example configuration. Signed-off-by: Ivan Dakhnenko <ivan.dakhnenko@siemens.com>
ivandkhn
force-pushed
the
introduce-tls-support
branch
from
1d1a598
to
bb5c012
Compare
|
@einarnn I've adjusted my patches – the issue with Python 3.5 should be resolved. |
|
Hi I'm getting error while running netconf connection w.r.t TLS, it seems TLSSession class is not there in updated version
please provide updated version or provide ways to resolve this error, thanks |
This PR implements TLS as a new transport level for NETCONF.
The biggest motivation for this change is currently ongoing standardization of Time-Sensitive Networking Profile for Industrial Automation: IEC/IEEE 60802. According to the current draft, the only secure transport for NETCONF should be TLS, and SSH is explicitly discouraged.
Codebase changes are as follows:
ssh.py.tls.pyto handle TLS connections. All the errors are re-raised as customTLSErrorto match the behavior ofssh.py. There's also some room for future improvements, e.g. Call Home over TLS is not implemented.I’ve also tested new TLS connectivity on some hardware running netopeer2-server 0.7.2 and 0.7.0.
See #271