Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL: WRONG_VERSION_NUMBER #521

Closed
vvarg229 opened this issue Mar 20, 2023 · 8 comments
Closed

SSL: WRONG_VERSION_NUMBER #521

vvarg229 opened this issue Mar 20, 2023 · 8 comments
Assignees
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@vvarg229
Copy link
Collaborator

vvarg229 commented Mar 20, 2023

If you use the test environment from https://github.com/nspcc-dev/neofs-dev-env to run the tests, an error occurs:

SSL validation failed for https://s3.neofs.devenv:8080/5230878a-d6d7-4fe6-881e-d4d78225f9ad '
                         '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)
Traceback (most recent call last):
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/botocore/httpsession.py", line 254, in send
    urllib_response = conn.urlopen(
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/connectionpool.py", line 785, in urlopen
    retries = retries.increment(
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/util/retry.py", line 525, in increment
    raise six.reraise(type(error), error, _stacktrace)
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/packages/six.py", line 769, in reraise
    raise value.with_traceback(tb)
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1040, in _validate_conn
    conn.connect()
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/connection.py", line 414, in connect
    self.sock = ssl_wrap_socket(
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/home/varg/work/neofs-testcases/venv.local-pytest/lib/python3.10/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1071, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
urllib3.exceptions.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)

Allure report:
WRONG_VERSION_NUMBER.zip

@vvarg229 vvarg229 added testcases bug Something isn't working labels Mar 20, 2023
@vvarg229 vvarg229 self-assigned this Mar 20, 2023
roman-khimov added a commit that referenced this issue Mar 21, 2023
Tests that fall with the error "SSL: WRONG_VERSION_NUMBER" are marked as
skip. These tests are also marked as
nspcc_dev__neofs_testcases__issue_521. See
#521 for details.
@vvarg229 vvarg229 removed their assignment Mar 22, 2023
@vvarg229 vvarg229 added the good first issue Good for newcomers label Mar 22, 2023
@vvarg229
Copy link
Collaborator Author

The bug is reproduced separately from the tests:

$ aws --no-verify-ssl --no-paginate s3api create-bucket --bucket b2bf2a65-d6b2-4601-9b77-b2182ce2cb2a  --object-lock-enabled-for-bucket --endpoint https://s3.neofs.devenv:8080 --acl public-read-write

SSL validation failed for https://s3.neofs.devenv:8080/b2bf2a65-d6b2-4601-9b77-b2182ce2cb2a [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:997)
$ openssl s_client -connect s3.neofs.devenv:8080
CONNECTED(00000003)
809B676FD27F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 317 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

@aprasolova @masterSplinter01 it seems to me that there is something wrong with the s3-gate configuration.
When you deploy it locally, do you do it like https://github.com/nspcc-dev/neofs-dev-env/blob/master/README.md ?

@masterSplinter01
Copy link

masterSplinter01 commented Mar 27, 2023

Could you try to
to run make clean https://github.com/nspcc-dev/neofs-dev-env/blob/master/README.md#clean
and if you have any *.key and *.crt files in the /services/storage/ directory, delete them too
?

@masterSplinter01
Copy link

masterSplinter01 commented Mar 27, 2023

Lol, I've faced another problem:

$ aws s3 ls --endpoint https://s3.neofs.devenv:8080 --no-verify-ssl                                                                                                        
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
2023-03-27 15:29:58 b2bf2a65-d6b2-4601-9b77-b2182ce2cb2a
2023-03-27 15:28:02 7MPEzn6hdtQvDrwtS98qtBByhEPzhribmisD3p9uiFN4
2023-03-27 15:31:47 test
2023-03-27 15:33:13 hmmm

$ aws --no-verify-ssl --no-paginate s3api create-bucket --bucket heh  --object-lock-enabled-for-bucket --endpoint https://s3.neofs.devenv:8080 --acl public-read-write
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied.

 $ aws s3 ls --endpoint https://s3.neofs.devenv:8080 --no-verify-ssl                                                                                                   
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

# Access denied or not??? 
2023-03-27 15:33:44 heh       

2023-03-27 15:29:58 b2bf2a65-d6b2-4601-9b77-b2182ce2cb2a
2023-03-27 15:28:02 7MPEzn6hdtQvDrwtS98qtBByhEPzhribmisD3p9uiFN4
2023-03-27 15:31:47 test
2023-03-27 15:33:13 hmmm

@vvarg229
Copy link
Collaborator Author

vvarg229 commented Mar 27, 2023

@masterSplinter01

Could you try to run make clean? https://github.com/nspcc-dev/neofs-dev-env/blob/master/README.md#clean ?

Yes, I did make clean

And do you have any *.key and *.crt files in the /services/storage/ directory?

Yes, I have these files:

$ ls -la services/storage/s04tls*
-rw-rw-r-- 1 varg varg 2021 Mar 27 11:54 services/storage/s04tls.crt
-rw------- 1 varg varg 3272 Mar 27 11:54 services/storage/s04tls.key

The contents of these files are similar to the contents of keys and certificates.

@vvarg229
Copy link
Collaborator Author

vvarg229 commented Mar 27, 2023

@masterSplinter01 can you check your version of urllib3?
To do this, run:
python3 -c 'import urllib3; print(urllib3.__version__)'

@masterSplinter01
Copy link

$ python3 -c 'import urllib3; print(urllib3.__version__)'
1.26.12

@masterSplinter01
Copy link

masterSplinter01 commented Mar 27, 2023

Lol, I've faced another problem:

$ aws s3 ls --endpoint https://s3.neofs.devenv:8080 --no-verify-ssl                                                                                                        
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
2023-03-27 15:29:58 b2bf2a65-d6b2-4601-9b77-b2182ce2cb2a
2023-03-27 15:28:02 7MPEzn6hdtQvDrwtS98qtBByhEPzhribmisD3p9uiFN4
2023-03-27 15:31:47 test
2023-03-27 15:33:13 hmmm

$ aws --no-verify-ssl --no-paginate s3api create-bucket --bucket heh  --object-lock-enabled-for-bucket --endpoint https://s3.neofs.devenv:8080 --acl public-read-write
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied.

 $ aws s3 ls --endpoint https://s3.neofs.devenv:8080 --no-verify-ssl                                                                                                   
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

# Access denied or not??? 
2023-03-27 15:33:44 heh       

2023-03-27 15:29:58 b2bf2a65-d6b2-4601-9b77-b2182ce2cb2a
2023-03-27 15:28:02 7MPEzn6hdtQvDrwtS98qtBByhEPzhribmisD3p9uiFN4
2023-03-27 15:31:47 test
2023-03-27 15:33:13 hmmm

Oh, I get it. Parameter --object-lock-enabled-for-bucket caused receiving of AccessDenied.

$ aws --no-verify-ssl --no-paginate s3api create-bucket --bucket test  --endpoint https://s3.neofs.devenv:8080 --acl public-read-write
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

$ aws s3 ls --endpoint https://s3.neofs.devenv:8080 --no-verify-ssl                                                                   
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
2023-03-27 17:37:24 test
2023-03-27 17:36:22 C6cWHmbsBwVR927beD8KsxuGtwa7rZLLL1ngZN6gTvNq

$ aws --no-verify-ssl --no-paginate s3api create-bucket --bucket lock  --object-lock-enabled-for-bucket --endpoint https://s3.neofs.devenv:8080 --acl public-read-write
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings

An error occurred (AccessDenied) when calling the CreateBucket operation: Access Denied.

$ aws s3 ls --endpoint https://s3.neofs.devenv:8080 --no-verify-ssl                                                                                                    
urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host 's3.neofs.devenv'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
2023-03-27 17:38:24 lock
2023-03-27 17:37:24 test
2023-03-27 17:36:22 C6cWHmbsBwVR927beD8KsxuGtwa7rZLLL1ngZN6gTvNq

But this response still seems confusing.

vvarg229 added a commit to vvarg229/neofs-testcases that referenced this issue May 5, 2023
This commit removes the @pytest.mark.skip and issue_* decorators that were
temporarily skipping tests related to specific issues. The problems
associated with these tests have been resolved in the neofs-node project,
allowing them to be executed along with other tests.

List of removed issues:
nspcc-dev/neofs-node#2262
nspcc-dev#519
nspcc-dev#520
nspcc-dev#521
nspcc-dev#523
nspcc-dev#524
nspcc-dev#533
nspcc-dev#539
https://j.yadro.com/browse/OBJECT-628

But according to the results of test runs added issues, here is their list:
nspcc-dev#535
nspcc-dev#537
nspcc-dev#542
nspcc-dev#544
nspcc-dev#558
nspcc-dev#559

Signed-off-by: Oleg Kulachenko <oleg@nspcc.ru>
@vvarg229
Copy link
Collaborator Author

Fixed:
vvarg229@f2a5a93

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

2 participants