[Twisted-Python] SSL: wrong version number
Hello. I'm trying to write a twisted client for MyProxy server. This grid service uses TLS. When using blocking calls, everything is ok. When trying to estabilish a twisted connection using reactor.connectSSL(host, port, f, contextFactory) with _the_same_ context in contextFactory, the error occures: [Failure instance: Traceback (failure with no frames): <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')] You can do it yourself by simply connecting to myproxy.cern.ch:7512 Is there anybody aware of such problem? Thanks, VV
On Thu, 14 Jun 2007 20:51:05 +0400, Voznesensky Vladimir <vovic@nfi.kiae.ru> wrote:
Hello.
I'm trying to write a twisted client for MyProxy server. This grid service uses TLS. When using blocking calls, everything is ok. When trying to estabilish a twisted connection using reactor.connectSSL(host, port, f, contextFactory) with _the_same_ context in contextFactory, the error occures:
[Failure instance: Traceback (failure with no frames): <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')]
You can do it yourself by simply connecting to myproxy.cern.ch:7512
Is there anybody aware of such problem?
The server is using SSLv2. The traceback seems to indicate the context is set up for SSLv3. I can't tell how you created that context object, nor am I certain why one version of your code can establish a connection while the other cannot, but I would check the context object and make sure it is using either SSLv2 or SSLv23. Jean-Paul
On Thu, 14 Jun 2007 15:08:06 -0400, Jean-Paul Calderone <exarkun@divmod.com> wrote:
On Thu, 14 Jun 2007 20:51:05 +0400, Voznesensky Vladimir <vovic@nfi.kiae.ru> wrote:
Hello.
I'm trying to write a twisted client for MyProxy server. This grid service uses TLS. When using blocking calls, everything is ok. When trying to estabilish a twisted connection using reactor.connectSSL(host, port, f, contextFactory) with _the_same_ context in contextFactory, the error occures:
[Failure instance: Traceback (failure with no frames): <class 'OpenSSL.SSL.Error'>: [('SSL routines', 'SSL3_GET_RECORD', 'wrong version number')]
You can do it yourself by simply connecting to myproxy.cern.ch:7512
Is there anybody aware of such problem?
The server is using SSLv2. The traceback seems to indicate the context is set up for SSLv3. I can't tell how you created that context object, nor am I certain why one version of your code can establish a connection while the other cannot, but I would check the context object and make sure it is using either SSLv2 or SSLv23.
Oh, I should also say that SSLv2 is insecure and, if you can, you should really change that server to use at least SSLv3. Jean-Paul
Dear Jean-Paul, Here is a bug/feature demonstrating example: ---8<--- from twisted.python.util import println from twisted.protocols.basic import LineReceiver from twisted.internet import protocol, reactor, defer, ssl from twisted.python.failure import Failure from OpenSSL import crypto, SSL _CMD="""VERSION=MYPROXYv2 COMMAND=%d USERNAME=%s PASSPHRASE=%s LIFETIME=%d\0""" % (0, "LOGIN", 'PASSPHRASE', 100) WHERETO = ("myproxy.cern.ch",7512) ## Myproxy client protocol. class MyproxyClient(protocol.Protocol): def connectionMade(self): self.transport.write('0') # GT compat. stuff. self.transport.write(_CMD) def dataReceived(self, data): self.transport.loseConnection() def connectionLost(self, reason=protocol.connectionDone): d = self.factory.deferred if reason != protocol.connectionDone: d.errback(reason) else: d.callback(data) ## Myproxy client factory. class MyproxyClientFactory(protocol.ClientFactory): protocol = MyproxyClient def __init__(self): self.deferred = defer.Deferred() def clientConnectionFailed(self, connector, reason): self.deferred.errback(reason) ## Context factory suitable for local needs. class CF: def getContext(self): ctx = SSL.Context(SSL.SSLv3_METHOD) # disable for compatibility with myproxy server (er, globus) # globus doesn't handle this case, apparently, and instead # chokes in proxy delegation code ctx.set_options(0x00000800L) return ctx ctx = CF().getContext() import socket conn = SSL.Connection(ctx,socket.socket()) conn.connect(WHERETO) conn.write('0') conn.write(_CMD) dat = conn.recv(8192) print 'data received by blocking call\n', dat conn.close() del ctx f = MyproxyClientFactory() contextFactory = CF() reactor.connectSSL(WHERETO[0], WHERETO[1], f, contextFactory) f.deferred.addCallbacks( callback=lambda data:(println("data received", data),reactor.stop()), errback=lambda error:(println("an error occurred", error),reactor.stop())) reactor.run() ---8<--- Yours, VV On Thu, 14 Jun 2007 15:22:20 -0400 Jean-Paul Calderone <exarkun@divmod.com> wrote:
On Thu, 14 Jun 2007 15:08:06 -0400, Jean-Paul Calderone <exarkun@divmod.com> wrote:
The server is using SSLv2. The traceback seems to indicate the context is set up for SSLv3. I can't tell how you created that context object, nor am I certain why one version of your code can establish a connection while the other cannot, but I would check the context object and make sure it is using either SSLv2 or SSLv23.
Oh, I should also say that SSLv2 is insecure and, if you can, you should really change that server to use at least SSLv3.
Jean-Paul
_______________________________________________ Twisted-Python mailing list Twisted-Python@twistedmatrix.com http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
participants (2)
-
Jean-Paul Calderone -
Voznesensky Vladimir