Nuxeo-drive and ssl_ciphers

Hi,

We recently refused the protocols SSLv2, SSLv3 and SSLv23 to accept only TLS v1, v1.1 and v1.2 on our domain.

From internet, our client-drive receive an error (below) after auto-negotiation for encryption of the connection (currently the RC4 encryption).

Traceback (most recent call last):
  File "nuxeo-drive-client\nxdrive\manager.py", line 397, in _get_update_url
  File "nuxeo-drive-client\nxdrive\manager.py", line 438, in _refresh_engine_update_infos
  File "nuxeo-drive-client\nxdrive\engine\engine.py", line 535, in get_update_infos
  File "nuxeo-drive-client\nxdrive\engine\engine.py", line 723, in get_remote_doc_client
  File "nuxeo-drive-client\nxdrive\client\remote_document_client.py", line 78, in __init__
  File "nuxeo-drive-client\nxdrive\client\base_automation_client.py", line 216, in __init__
  File "nuxeo-drive-client\nxdrive\client\base_automation_client.py", line 273, in fetch_api
URLError: <urlopen error [Errno 1] _ssl.c:504: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure>

Indeed, the version 2.7.3 of the python still accepting RC4 cipher for SSL and TLS. This has been removed from the 2.7.9 release (see url)

https://hg.python.org/cpython/rev/3596081cfb55/

Could you take into account this change and accept the TLS v1.1 / 1.2 protocols?

https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

Thanks

0 votes

2 answers

1207 views

ANSWER



Python 2.x tries to establish a connection with PROTOCOL_SSLv23 by default > Patch Lib/ssl.py#L1057

You can patch the “wrap_socket” method to force the TLS connection > https://bugs.python.org/issue24372

In this case, you can leave the option to choose the connection type in the GUI

For added security, it is advisable to use the library “urllib3” rather than version 2 > urllib3#insecureplatformwarning

It is preferable to use the package “pyopenssl” to connect to HTTPS > urllib3#pyopenssl

0 votes



OK thanks for this detailed information. Created https://jira.nuxeo.com/browse/NXDRIVE-352 for this request. I cannot give you a delay, but you can watch the issue to be notified.
06/09/2015


So just upgrading to Python 2.7.9 in Drive build would solve the problem?

0 votes