Ask Question
« General Questions on Nuxeo

Nuxeo-drive and ssl_ciphers

Hi,

We recently refused the protocols SSLv2, SSLv3 and SSLv23 to accept only TLS v1, v1.1 and v1.2 on our domain.

From internet, our client-drive receive an error (below) after auto-negotiation for encryption of the connection (currently the RC4 encryption).

Traceback (most recent call last):
  File "nuxeo-drive-client\nxdrive\manager.py", line 397, in _get_update_url
  File "nuxeo-drive-client\nxdrive\manager.py", line 438, in _refresh_engine_update_infos
  File "nuxeo-drive-client\nxdrive\engine\engine.py", line 535, in get_update_infos
  File "nuxeo-drive-client\nxdrive\engine\engine.py", line 723, in get_remote_doc_client
  File "nuxeo-drive-client\nxdrive\client\remote_document_client.py", line 78, in __init__
  File "nuxeo-drive-client\nxdrive\client\base_automation_client.py", line 216, in __init__
  File "nuxeo-drive-client\nxdrive\client\base_automation_client.py", line 273, in fetch_api
URLError: <urlopen error [Errno 1] _ssl.c:504: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure>

Indeed, the version 2.7.3 of the python still accepting RC4 cipher for SSL and TLS. This has been removed from the 2.7.9 release (see url)

https://hg.python.org/cpython/rev/3596081cfb55/

Could you take into account this change and accept the TLS v1.1 / 1.2 protocols?

https://community.qualys.com/blogs/securitylabs/2013/03/19/rc4-in-tls-is-broken-now-what https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

Thanks

Pierre Jenicot
Electronic document manager (1.1K)   2   5   6 		06/08/2015 ( History)
0 votes
2 answers
2816 views
ANSWER
ANSWERS

Python 2.x tries to establish a connection with PROTOCOL_SSLv23 by default > Patch Lib/ssl.py#L1057

You can patch the “wrap_socket” method to force the TLS connection > https://bugs.python.org/issue24372

In this case, you can leave the option to choose the connection type in the GUI

For added security, it is advisable to use the library “urllib3” rather than version 2 > urllib3#insecureplatformwarning

It is preferable to use the package “pyopenssl” to connect to HTTPS > urllib3#pyopenssl

Pierre Jenicot
Electronic document manager (1.1K)   2   5   6 		06/09/2015 ( History)
0 votes
ataillefer
OK thanks for this detailed information. Created https://jira.nuxeo.com/browse/NXDRIVE-352 for this request. I cannot give you a delay, but you can watch the issue to be notified.
06/09/2015

So just upgrading to Python 2.7.9 in Drive build would solve the problem?

ataillefer
Member (4.8K)   2   5   6 		06/09/2015 ( History)
0 votes
Follow
Tags
Linked Questions
Related Questions
ServerBinding object is not JSON serializable
Nuxeo Drive fails to connect (ValueError: Expecting object)
Nuxeo Drive - Error
Has nuxeo drive 2.0 a problem with SSL ?
Nuxeo Drive
Nuxeo drive crashes on mac
Nuxeo Drive v4+ can't connect via HTTPS on MacOS
I can't start Nuxeo Drive client : Exception: Only one instance of Manager can be create
Nuxeo Drive 4.x client tries to switch to https access which is not available