Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pskwrapper: ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007) #7

Open
BBT-coder opened this issue Feb 11, 2024 · 3 comments
Open

pskwrapper: ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007) #7

BBT-coder opened this issue Feb 11, 2024 · 3 comments

Comments

@BBT-coder
Copy link

Hi,

I have a zabbix 6.4 proxy running in a docker container with this config:

  - TLSACCEPT=psk
  - TLSCONNECT=psk
  - TLSPSKIDENTITY=PSK001
  - TLSPSKFILE=/var/lib/zabbix/enc/psk-file.psk

When testing if I can connect to the proxy using openssl, I use:

openssl s_client -no_tls1_3 -connect 192.168.1.1:10056 -psk_identity 'PSK001' -psk '<my psk>'
Connecting to 192.168.1.1
CONNECTED(00000180)
Can't use SSL_get_servername
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 242 bytes and written 418 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-PSK-AES128-CBC-SHA256
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-PSK-AES128-CBC-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: <a master key>
    PSK identity: PSK001
    PSK identity hint: None
    SRP username: None
    Start Time: 1707658392
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

closed

When when I run the psk_wrapper.py (from a Windows 11 machine) I got the error:

File "C:\Python\Python310\lib\ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007)
python-BaseException

psk and pskidentity are the same as used in the openssl

Python 3.10.11

pyOpenSSL      23.3.0
sslpsk3             1.1.1
zabbix-utils      1.1.0

When running the psk_wrapper from a Raspberry 4 (Linux 6.1.41-v8+ #1667 SMP PREEMPT Wed Jul 26 17:59:29 BST 2023 aarch64 GNU/Linux) I got the Error:

ssl.SSLError: [SSL: SSLV3_ALERT_BAD_RECORD_MAC] sslv3 alert bad record mac (_ssl.c:1123)

Is there a way I can configure -no_tls1_3 in the wrapper (not sure if this would fix things)?
Any help would be appreciated.

Theo
@enzocicarelli
Copy link

enzocicarelli commented Mar 31, 2024
edited

Hi,

I have a zabbix 6.4 proxy running in a docker container with this config:

  - TLSACCEPT=psk
  - TLSCONNECT=psk
  - TLSPSKIDENTITY=PSK001
  - TLSPSKFILE=/var/lib/zabbix/enc/psk-file.psk

When testing if I can connect to the proxy using openssl, I use:

openssl s_client -no_tls1_3 -connect 192.168.1.1:10056 -psk_identity 'PSK001' -psk '<my psk>'
Connecting to 192.168.1.1
CONNECTED(00000180)
Can't use SSL_get_servername
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 242 bytes and written 418 bytes
Verification: OK
---
New, TLSv1.0, Cipher is ECDHE-PSK-AES128-CBC-SHA256
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-PSK-AES128-CBC-SHA256
    Session-ID:
    Session-ID-ctx:
    Master-Key: <a master key>
    PSK identity: PSK001
    PSK identity hint: None
    SRP username: None
    Start Time: 1707658392
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

closed

When when I run the psk_wrapper.py (from a Windows 11 machine) I got the error:

File "C:\Python\Python310\lib\ssl.py", line 1342, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007)
python-BaseException

psk and pskidentity are the same as used in the openssl

Python 3.10.11

pyOpenSSL      23.3.0
sslpsk3             1.1.1
zabbix-utils      1.1.0

When running the psk_wrapper from a Raspberry 4 (Linux 6.1.41-v8+ #1667 SMP PREEMPT Wed Jul 26 17:59:29 BST 2023 aarch64 GNU/Linux) I got the Error:

ssl.SSLError: [SSL: SSLV3_ALERT_BAD_RECORD_MAC] sslv3 alert bad record mac (_ssl.c:1123)

Is there a way I can configure -no_tls1_3 in the wrapper (not sure if this would fix things)? Any help would be appreciated.

Theo

Hi @BBT-coder,
I had the same problem with BAD_RECORD_MAC and I was able to fix it by using bytes.fromhex("psk") instead of b"psk", hope it helps you.

@BBT-coder
Copy link
Author

Thanks @enzocicarelli,

This did indeed (for Linux) solved my problem.

@aiantsen
Copy link
Contributor

aiantsen commented Apr 8, 2024

@BBT-coder, thank you for the found issue.
We're working on reproducing this problem on Windows.

@enzocicarelli, thank you for the suggested resolution.
This has been tested with Linux and will be implemented in the next version.

aiantsen added a commit that referenced this issue Apr 10, 2024
@aiantsen
fixed example code issue (for Linux) #7
84d525b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@enzocicarelli @BBT-coder @aiantsen