TLS does not seem to work with python 3

#1

Ok, so I am trying to use python 3 with crossbar 0.11.1 and I get the following error

2015-09-19T14:28:06+0800 [Controller 15188] Router ‘worker1’: component ‘component1’ started

2015-09-19T14:28:06+0800 [Router 15230] Using explicit cipher list.

2015-09-19T14:28:06+0800 [Router 15230] OpenSSL DH modes not active - missing DH param file

2015-09-19T14:28:06+0800 [Router 15230] Ok, OpenSSL is using ECDH elliptic curve prime256v1

2015-09-19T14:28:06+0800 [Controller 15188] ‘str’ does not support the buffer interface

2015-09-19T14:28:06+0800 [Controller 15188] sending TERM to subprocess 15230

2015-09-19T14:28:06+0800 [Controller 15188] waiting for 15230 to exit…

2015-09-19T14:28:06+0800 [Router 15230] Received SIGTERM, shutting down.

2015-09-19T14:28:06+0800 [Router 15230] Connection to node controller lost.

If I take the bold part out of my configuration file, it will start:

      "endpoint": {

        "port": 8217,

"tls": {

"certificate": “server_cert.pem”,

"dhparam": “dhparam.pem”,

"key": "server_key.pem"

},

        "type": "tcp"

      },

      "type": "websocket",

      "url": "wss://milvos.com:8217/ws"

    }

I can’t seem to get any more information even with verbose logging, any ideas / help would be appreciated.

As an aside, ios 9 is not allowing by default ssl connections to any ssl servers that are not running at least TLS 1.2, and python 2 does not seem to support TLS 1.2 without being patched. I am using autobahn within a cordova application to connect to crossbar and it is failing with CFNetwork SSLHandshake failed (-9824) when attempting connections to crossbar.

0 Likes

#2

I should add that I removed the dhparams config option for this test, but if fails with or without the dhparams file

···

On Saturday, September 19, 2015 at 2:56:46 PM UTC+8, Michael Milverton wrote:

Ok, so I am trying to use python 3 with crossbar 0.11.1 and I get the following error

2015-09-19T14:28:06+0800 [Controller 15188] Router ‘worker1’: component ‘component1’ started

2015-09-19T14:28:06+0800 [Router 15230] Using explicit cipher list.

2015-09-19T14:28:06+0800 [Router 15230] OpenSSL DH modes not active - missing DH param file

2015-09-19T14:28:06+0800 [Router 15230] Ok, OpenSSL is using ECDH elliptic curve prime256v1

2015-09-19T14:28:06+0800 [Controller 15188] ‘str’ does not support the buffer interface

2015-09-19T14:28:06+0800 [Controller 15188] sending TERM to subprocess 15230

2015-09-19T14:28:06+0800 [Controller 15188] waiting for 15230 to exit…

2015-09-19T14:28:06+0800 [Router 15230] Received SIGTERM, shutting down.

2015-09-19T14:28:06+0800 [Router 15230] Connection to node controller lost.

If I take the bold part out of my configuration file, it will start:

      "endpoint": {
        "port": 8217,

"tls": {

"certificate": “server_cert.pem”,

"dhparam": “dhparam.pem”,

"key": "server_key.pem"

},

        "type": "tcp"
      },
      "type": "websocket",
      "url": "wss://[milvos.com:8217/ws](http://milvos.com:8217/ws)"
    }

I can’t seem to get any more information even with verbose logging, any ideas / help would be appreciated.

As an aside, ios 9 is not allowing by default ssl connections to any ssl servers that are not running at least TLS 1.2, and python 2 does not seem to support TLS 1.2 without being patched. I am using autobahn within a cordova application to connect to crossbar and it is failing with CFNetwork SSLHandshake failed (-9824) when attempting connections to crossbar.

0 Likes

#3

Okay, one more thing to add is this, taken from here

These are the App Transport Security requirements:

  • The server must support at least Transport Layer Security (TLS) protocol version 1.2.

  • Connection ciphers are limited to those that provide forward secrecy (see the list of ciphers below.)

  • Certificates must be signed using a SHA256 or better signature hash algorithm, with either a 2048 bit or greater RSA key or a 256 bit or greater Elliptic-Curve (ECC) key.

    Invalid certificates result in a hard failure and no connection.

These are the accepted ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

My certificate seems to meet these requirements and I have configured the server to support modern ciphers so my feeling is that is failing because of python 2.7 not supporting TLS 1.2

···

On Saturday, September 19, 2015 at 2:56:46 PM UTC+8, Michael Milverton wrote:

Ok, so I am trying to use python 3 with crossbar 0.11.1 and I get the following error

2015-09-19T14:28:06+0800 [Controller 15188] Router ‘worker1’: component ‘component1’ started

2015-09-19T14:28:06+0800 [Router 15230] Using explicit cipher list.

2015-09-19T14:28:06+0800 [Router 15230] OpenSSL DH modes not active - missing DH param file

2015-09-19T14:28:06+0800 [Router 15230] Ok, OpenSSL is using ECDH elliptic curve prime256v1

2015-09-19T14:28:06+0800 [Controller 15188] ‘str’ does not support the buffer interface

2015-09-19T14:28:06+0800 [Controller 15188] sending TERM to subprocess 15230

2015-09-19T14:28:06+0800 [Controller 15188] waiting for 15230 to exit…

2015-09-19T14:28:06+0800 [Router 15230] Received SIGTERM, shutting down.

2015-09-19T14:28:06+0800 [Router 15230] Connection to node controller lost.

If I take the bold part out of my configuration file, it will start:

      "endpoint": {
        "port": 8217,

"tls": {

"certificate": “server_cert.pem”,

"dhparam": “dhparam.pem”,

"key": "server_key.pem"

},

        "type": "tcp"
      },
      "type": "websocket",
      "url": "wss://[milvos.com:8217/ws](http://milvos.com:8217/ws)"
    }

I can’t seem to get any more information even with verbose logging, any ideas / help would be appreciated.

As an aside, ios 9 is not allowing by default ssl connections to any ssl servers that are not running at least TLS 1.2, and python 2 does not seem to support TLS 1.2 without being patched. I am using autobahn within a cordova application to connect to crossbar and it is failing with CFNetwork SSLHandshake failed (-9824) when attempting connections to crossbar.

0 Likes

#4

Okay, so proxying crossbar behind nginx solved the problem of ios 9 refusing to connect to crossbar.

···

On Saturday, September 19, 2015 at 2:56:46 PM UTC+8, Michael Milverton wrote:

Ok, so I am trying to use python 3 with crossbar 0.11.1 and I get the following error

2015-09-19T14:28:06+0800 [Controller 15188] Router ‘worker1’: component ‘component1’ started

2015-09-19T14:28:06+0800 [Router 15230] Using explicit cipher list.

2015-09-19T14:28:06+0800 [Router 15230] OpenSSL DH modes not active - missing DH param file

2015-09-19T14:28:06+0800 [Router 15230] Ok, OpenSSL is using ECDH elliptic curve prime256v1

2015-09-19T14:28:06+0800 [Controller 15188] ‘str’ does not support the buffer interface

2015-09-19T14:28:06+0800 [Controller 15188] sending TERM to subprocess 15230

2015-09-19T14:28:06+0800 [Controller 15188] waiting for 15230 to exit…

2015-09-19T14:28:06+0800 [Router 15230] Received SIGTERM, shutting down.

2015-09-19T14:28:06+0800 [Router 15230] Connection to node controller lost.

If I take the bold part out of my configuration file, it will start:

      "endpoint": {
        "port": 8217,

"tls": {

"certificate": “server_cert.pem”,

"dhparam": “dhparam.pem”,

"key": "server_key.pem"

},

        "type": "tcp"
      },
      "type": "websocket",
      "url": "wss://[milvos.com:8217/ws](http://milvos.com:8217/ws)"
    }

I can’t seem to get any more information even with verbose logging, any ideas / help would be appreciated.

As an aside, ios 9 is not allowing by default ssl connections to any ssl servers that are not running at least TLS 1.2, and python 2 does not seem to support TLS 1.2 without being patched. I am using autobahn within a cordova application to connect to crossbar and it is failing with CFNetwork SSLHandshake failed (-9824) when attempting connections to crossbar.

0 Likes

#5

Hi Michael!

Glad to hear you got things working! Could you file an issue on the Crossbar.io repository regarding the Python 3/SSL problem, with a bit more details, e.g. about the operating system? This seems like something we should take a closer look at.

Regards,

Alex

···

Am Samstag, 19. September 2015 10:59:28 UTC+2 schrieb Michael Milverton:

Okay, so proxying crossbar behind nginx solved the problem of ios 9 refusing to connect to crossbar.

On Saturday, September 19, 2015 at 2:56:46 PM UTC+8, Michael Milverton wrote:

Ok, so I am trying to use python 3 with crossbar 0.11.1 and I get the following error

2015-09-19T14:28:06+0800 [Controller 15188] Router ‘worker1’: component ‘component1’ started

2015-09-19T14:28:06+0800 [Router 15230] Using explicit cipher list.

2015-09-19T14:28:06+0800 [Router 15230] OpenSSL DH modes not active - missing DH param file

2015-09-19T14:28:06+0800 [Router 15230] Ok, OpenSSL is using ECDH elliptic curve prime256v1

2015-09-19T14:28:06+0800 [Controller 15188] ‘str’ does not support the buffer interface

2015-09-19T14:28:06+0800 [Controller 15188] sending TERM to subprocess 15230

2015-09-19T14:28:06+0800 [Controller 15188] waiting for 15230 to exit…

2015-09-19T14:28:06+0800 [Router 15230] Received SIGTERM, shutting down.

2015-09-19T14:28:06+0800 [Router 15230] Connection to node controller lost.

If I take the bold part out of my configuration file, it will start:

      "endpoint": {
        "port": 8217,

"tls": {

"certificate": “server_cert.pem”,

"dhparam": “dhparam.pem”,

"key": "server_key.pem"

},

        "type": "tcp"
      },
      "type": "websocket",
      "url": "wss://[milvos.com:8217/ws](http://milvos.com:8217/ws)"
    }

I can’t seem to get any more information even with verbose logging, any ideas / help would be appreciated.

As an aside, ios 9 is not allowing by default ssl connections to any ssl servers that are not running at least TLS 1.2, and python 2 does not seem to support TLS 1.2 without being patched. I am using autobahn within a cordova application to connect to crossbar and it is failing with CFNetwork SSLHandshake failed (-9824) when attempting connections to crossbar.

0 Likes

#6

Thanks Alex, yes I will do that, give me a couple of days as I am only running ssl on the production server so I have limited opportunities to test it without users :slight_smile:

···

On Saturday, September 19, 2015 at 5:09:12 PM UTC+8, Alexander Gödde wrote:

Hi Michael!

Glad to hear you got things working! Could you file an issue on the Crossbar.io repository regarding the Python 3/SSL problem, with a bit more details, e.g. about the operating system? This seems like something we should take a closer look at.

Regards,

Alex

Am Samstag, 19. September 2015 10:59:28 UTC+2 schrieb Michael Milverton:

Okay, so proxying crossbar behind nginx solved the problem of ios 9 refusing to connect to crossbar.

On Saturday, September 19, 2015 at 2:56:46 PM UTC+8, Michael Milverton wrote:

Ok, so I am trying to use python 3 with crossbar 0.11.1 and I get the following error

2015-09-19T14:28:06+0800 [Controller 15188] Router ‘worker1’: component ‘component1’ started

2015-09-19T14:28:06+0800 [Router 15230] Using explicit cipher list.

2015-09-19T14:28:06+0800 [Router 15230] OpenSSL DH modes not active - missing DH param file

2015-09-19T14:28:06+0800 [Router 15230] Ok, OpenSSL is using ECDH elliptic curve prime256v1

2015-09-19T14:28:06+0800 [Controller 15188] ‘str’ does not support the buffer interface

2015-09-19T14:28:06+0800 [Controller 15188] sending TERM to subprocess 15230

2015-09-19T14:28:06+0800 [Controller 15188] waiting for 15230 to exit…

2015-09-19T14:28:06+0800 [Router 15230] Received SIGTERM, shutting down.

2015-09-19T14:28:06+0800 [Router 15230] Connection to node controller lost.

If I take the bold part out of my configuration file, it will start:

      "endpoint": {
        "port": 8217,

"tls": {

"certificate": “server_cert.pem”,

"dhparam": “dhparam.pem”,

"key": "server_key.pem"

},

        "type": "tcp"
      },
      "type": "websocket",
      "url": "wss://[milvos.com:8217/ws](http://milvos.com:8217/ws)"
    }

I can’t seem to get any more information even with verbose logging, any ideas / help would be appreciated.

As an aside, ios 9 is not allowing by default ssl connections to any ssl servers that are not running at least TLS 1.2, and python 2 does not seem to support TLS 1.2 without being patched. I am using autobahn within a cordova application to connect to crossbar and it is failing with CFNetwork SSLHandshake failed (-9824) when attempting connections to crossbar.

0 Likes

#7

Okay, I have submitted an issue: https://github.com/crossbario/crossbar/issues/468

I can’t test the SSL part until I get my authentication module working. I have an exception that is thrown from my authentication module when run in python 3 but not python 2. I can get the code to run by decode bytes to ascii but then authobahn states that my signature is invalid. Any help would be appreciated. Once I have this running I will test out python3 SSL and see if IOS 9 likes it.

Kind Regards

Michael

···

On Saturday, September 19, 2015 at 5:09:12 PM UTC+8, Alexander Gödde wrote:

Hi Michael!

Glad to hear you got things working! Could you file an issue on the Crossbar.io repository regarding the Python 3/SSL problem, with a bit more details, e.g. about the operating system? This seems like something we should take a closer look at.

Regards,

Alex

Am Samstag, 19. September 2015 10:59:28 UTC+2 schrieb Michael Milverton:

Okay, so proxying crossbar behind nginx solved the problem of ios 9 refusing to connect to crossbar.

On Saturday, September 19, 2015 at 2:56:46 PM UTC+8, Michael Milverton wrote:

Ok, so I am trying to use python 3 with crossbar 0.11.1 and I get the following error

2015-09-19T14:28:06+0800 [Controller 15188] Router ‘worker1’: component ‘component1’ started

2015-09-19T14:28:06+0800 [Router 15230] Using explicit cipher list.

2015-09-19T14:28:06+0800 [Router 15230] OpenSSL DH modes not active - missing DH param file

2015-09-19T14:28:06+0800 [Router 15230] Ok, OpenSSL is using ECDH elliptic curve prime256v1

2015-09-19T14:28:06+0800 [Controller 15188] ‘str’ does not support the buffer interface

2015-09-19T14:28:06+0800 [Controller 15188] sending TERM to subprocess 15230

2015-09-19T14:28:06+0800 [Controller 15188] waiting for 15230 to exit…

2015-09-19T14:28:06+0800 [Router 15230] Received SIGTERM, shutting down.

2015-09-19T14:28:06+0800 [Router 15230] Connection to node controller lost.

If I take the bold part out of my configuration file, it will start:

      "endpoint": {
        "port": 8217,

"tls": {

"certificate": “server_cert.pem”,

"dhparam": “dhparam.pem”,

"key": "server_key.pem"

},

        "type": "tcp"
      },
      "type": "websocket",
      "url": "wss://[milvos.com:8217/ws](http://milvos.com:8217/ws)"
    }

I can’t seem to get any more information even with verbose logging, any ideas / help would be appreciated.

As an aside, ios 9 is not allowing by default ssl connections to any ssl servers that are not running at least TLS 1.2, and python 2 does not seem to support TLS 1.2 without being patched. I am using autobahn within a cordova application to connect to crossbar and it is failing with CFNetwork SSLHandshake failed (-9824) when attempting connections to crossbar.

0 Likes