koji

Clone

#1233 koji cli client not working with TLS1.3
Opened 5 years ago by jcpunk. Modified 5 years ago

Open
Close issue as:
Invalid Insufficient data Fixed Duplicate Dropped

It looks like the koji 1.16 command line client isn't working under TLS1.3 on Fedora 29.

Replication steps:
1. Set mod_ssl to only use TLS1.3
2. restart apache
3. koji moshimoshi

Results:
2019-02-06 16:13:31,138 [ERROR] koji: HTTPError: 403 Client Error: Forbidden for url: https://testhost.example.com/kojihub/ssllogin

SSL_verify_client_post_handshake:extension not received

When switching to only use TLS1.2 the problem is gone as 'SSL_verify_client_post_handshake' is a TLS1.3 extension.

  1. are we certain that the problem is on the client and not the server?
  2. can you share more details about your client and server config?
  3. can you try a simple test with python-requests and said apache instance?

My configs are pretty boring....

Just the stock Fedora 29 apache/koji-hub/koji-web. The only changes from defaults are:
enable ssl auth
 point to my actual hostname

I set the crypto-policy to NEXT. Then I manually set the TLS version. 

>>>requests.get('https://testhost.example.com/koji/login', cert=('client.crt', 'client.crt'))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 75, in get
    return request('get', url, params=params, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/api.py", line 60, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 524, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/site-packages/requests/sessions.py", line 637, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='testhost.example.com', port=443): Max retries exceeded with url: /koji/login (Caused by SSLError(SSLError(1, u'[SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:726)'),))

This does appear to be linked to other bits of the stack[1]. I'll hop over there since this is lower in the stack.

Any chance to get a note on this behavior into the "How to setup koji hub"? I lost a few hours on this today....

[1] https://bugs.python.org/issue34670
Edited 5 years ago by jcpunk

At this point we rely pretty heavily on python-requests to do the heavy lifting for our connections. We don't get deep into the handshake, so I'd be surprised if anything we're doing is breaking TLS1.3 specifically.

We could add a note I guess, though hopefully this will be fixed soon.

Do you have a suggestion on where exactly the note should go?

@mikem Problem is, that F29 enables TLSv1.3 by default (and python's ssl lib can't handle it correctly), so as @jcpunk said, koji is not working with default configs. I would write comments to httpd configs (/kojihub/ssllogin, /koji/login).

1) mod_ssl protocols can be changed only on virtualserver or server level, so option must be somewhere else, than in kojihub.conf (ssl.conf works) SSLProtocol all -SSLv3 -TLSv1.3.
2) Error will not manifest under python2 client (python2 has no v1.3 support at all) if server supports other protocols
3) Error will be always present with py3 client + TLSv1.3 - ugly thing is, that apache return only 403 response, and proper error is only seen in apache log.

That all sounds good to me.

@mikem Shouldn't this (note about altering SSLProtocol) be part of docs for 1.17?

Login to comment on this ticket.

Metadata
None
None
None
None
Normal
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.