Nuxeo-drive and ssl_ciphers
We recently refused the protocols SSLv2, SSLv3 and SSLv23 to accept only TLS v1, v1.1 and v1.2 on our domain.
From internet, our client-drive receive an error (below) after auto-negotiation for encryption of the connection (currently the RC4 encryption).
Traceback (most recent call last): File "nuxeo-drive-client\nxdrive\manager.py", line 397, in _get_update_url File "nuxeo-drive-client\nxdrive\manager.py", line 438, in _refresh_engine_update_infos File "nuxeo-drive-client\nxdrive\engine\engine.py", line 535, in get_update_infos File "nuxeo-drive-client\nxdrive\engine\engine.py", line 723, in get_remote_doc_client File "nuxeo-drive-client\nxdrive\client\remote_document_client.py", line 78, in __init__ File "nuxeo-drive-client\nxdrive\client\base_automation_client.py", line 216, in __init__ File "nuxeo-drive-client\nxdrive\client\base_automation_client.py", line 273, in fetch_api URLError: <urlopen error [Errno 1] _ssl.c:504: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure>
Indeed, the version 2.7.3 of the python still accepting RC4 cipher for SSL and TLS. This has been removed from the 2.7.9 release (see url)
Could you take into account this change and accept the TLS v1.1 / 1.2 protocols?
Python 2.x tries to establish a connection with PROTOCOL_SSLv23 by default > Patch Lib/ssl.py#L1057
You can patch the “wrap_socket” method to force the TLS connection > https://bugs.python.org/issue24372
In this case, you can leave the option to choose the connection type in the GUI
For added security, it is advisable to use the library “urllib3” rather than version 2 > urllib3#insecureplatformwarning
It is preferable to use the package “pyopenssl” to connect to HTTPS > urllib3#pyopenssl