Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
No cipher option
See original GitHub issueEOS uses deprecated ciphers by default and we can’t specify the ciphers to use (with ssl.create_default_context().set_ciphers('DHE-RSA-AES256-SHA'), so it’s impossible to connect from a system removing deprecated ciphers by default:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/pyeapi/eapilib.py", line 440, in send
self.transport.endheaders(message_body=data)
File "/usr/lib/python3.9/http/client.py", line 1252, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1012, in _send_output
self.send(msg)
File "/usr/lib/python3.9/http/client.py", line 952, in send
self.connect()
File "/usr/lib/python3.9/http/client.py", line 1426, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.9/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1145)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/napalm/eos/eos.py", line 167, in open
sh_ver = self.device.run_commands(["show version"])
File "/usr/lib/python3.9/site-packages/napalm/eos/pyeapi_syntax_wrapper.py", line 42, in run_commands
return super(Node, self).run_commands(commands, *args, **kwargs)
File "/usr/lib/python3.9/site-packages/pyeapi/client.py", line 771, in run_commands
response = self._connection.execute(commands, encoding, **kwargs)
File "/usr/lib/python3.9/site-packages/pyeapi/eapilib.py", line 554, in execute
response = self.send(request)
File "/usr/lib/python3.9/site-packages/pyeapi/eapilib.py", line 483, in send
raise ConnectionError(str(self), error_msg)
pyeapi.eapilib.ConnectionError: Socket error during eAPI connection: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1145)
Running a simple urllib.request.Request without the cipher option from ssl returns the same error, by specifying the ciphers it works.
~ % python
Python 3.9.6 (default, Sep 22 2021, 15:28:10)
[GCC 10.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> import urllib.request
>>> url = urllib.request.Request('https://edge-1/')
>>> ssl_context = ssl.create_default_context()
>>> ssl_context.set_ciphers('DHE-RSA-AES256-SHA, AES256-SHA')
>>> data = urllib.request.urlopen(url).read().decode()
Traceback (most recent call last):
File "/usr/lib/python3.9/urllib/request.py", line 1346, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/usr/lib/python3.9/http/client.py", line 1257, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1303, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1252, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1012, in _send_output
self.send(msg)
File "/usr/lib/python3.9/http/client.py", line 952, in send
self.connect()
File "/usr/lib/python3.9/http/client.py", line 1426, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.9/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1145)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.9/urllib/request.py", line 214, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.9/urllib/request.py", line 517, in open
response = self._open(req, data)
File "/usr/lib/python3.9/urllib/request.py", line 534, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
File "/usr/lib/python3.9/urllib/request.py", line 494, in _call_chain
result = func(*args)
File "/usr/lib/python3.9/urllib/request.py", line 1389, in https_open
return self.do_open(http.client.HTTPSConnection, req,
File "/usr/lib/python3.9/urllib/request.py", line 1349, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1145)>
>>> data = urllib.request.urlopen(url, context=ssl_context).read().decode()
Traceback (most recent call last):
File "/usr/lib/python3.9/urllib/request.py", line 1346, in do_open
h.request(req.get_method(), req.selector, req.data, headers,
File "/usr/lib/python3.9/http/client.py", line 1257, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1303, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1252, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib/python3.9/http/client.py", line 1012, in _send_output
self.send(msg)
File "/usr/lib/python3.9/http/client.py", line 952, in send
self.connect()
File "/usr/lib/python3.9/http/client.py", line 1426, in connect
self.sock = self._context.wrap_socket(self.sock,
File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
return self.sslsocket_class._create(
File "/usr/lib/python3.9/ssl.py", line 1040, in _create
self.do_handshake()
File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1145)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.9/urllib/request.py", line 214, in urlopen
return opener.open(url, data, timeout)
File "/usr/lib/python3.9/urllib/request.py", line 517, in open
response = self._open(req, data)
File "/usr/lib/python3.9/urllib/request.py", line 534, in _open
result = self._call_chain(self.handle_open, protocol, protocol +
File "/usr/lib/python3.9/urllib/request.py", line 494, in _call_chain
result = func(*args)
File "/usr/lib/python3.9/urllib/request.py", line 1389, in https_open
return self.do_open(http.client.HTTPSConnection, req,
File "/usr/lib/python3.9/urllib/request.py", line 1349, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1145)>
>>>
Without a ssl context, urrlib can’t connect to the arista box at all, by specifing it, it’s only a matter of self signed certificate.
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:6 (1 by maintainers)
Top Results From Across the Web
TLS Syslog - No Cipher Suites in Common - Forums - IBM
I am running into issues trying to configure a TLS Syslog log source. I need to specify my own cert/key (cannot use the...
Read more >SSL_CTX_set_cipher_list() paradoxically causes "no ciphers ...
I'm writing a program that communicates over DTLS using OpenSSL with RSA certificates for client and server, signed with X509_sign(cert, private_key, ...
Read more >Ciphers - OpenSSL
If this option is not used then all ciphers that match the cipherlist will be listed. -psk. When combined with -s includes cipher...
Read more >Managing SSL/TLS Protocols and Cipher Suites for AD FS
Learn how to disable and enable certain TLS/SSL protocols and cipher suites that are used by AD FS.
Read more >SSL Cipher Configuration - removing weak ciphers - PaperCut
For client communication TLS 1.2 is not enabled by default on Java 7 (eg. payment gateway connections from PaperCut to external system). Until ......
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
To let a trace somewhere, on the Arista side you can tweak the SSL/TLS profile to set proper TLS settings. That way it avoids messing around with pyeos.
It might depends on the version you are running though but at least it’s working on 4.25+
capi.pem keyandcapikey.pemare the device certificate custom certificate stored in/persist/secure/ssl/certs/capi.pem/persist/secure/ssl/keys/capikey.pemThere is a way to specify a cypher for pyeapi, though it’s undocumented one. I have covered it when resolved the issue #222. It’s similar to what @u1735067 proposed in his pyeapi patch - specify the cypher as soon you get a client connection. The issue is documented here: https://pyeapi.readthedocs.io/en/develop/client_modules/client.html#pyeapi.client.connect
Here’s how one can set the cypher:
Though providing a user-level option to specify the cypher it seems a reasonable request. I’ll close this one and file an enhancement to provide a user option for cypher.