Subscribe

OCI REST API security & Python headsup

Hey all,

 

Team OCI goes to great lengths to ensure that our REST API is additive over time, such that your integrations will continue to work in the future as you upgrade to newer OCI releases.

 

However, Python has been a bit finicky with regards to negotiation SSL/TLS sessions, so there is some stuff you want to know to get ahead of some pitfalls.

 

#1. The OCI demo REST API python code contains a file oci_rest.py. If you look at lines 69 through 79, you will see that we are forcing Python to use TLS - this was because certain Python versions would have problems where they would attempt to negotiate SSLv3, fail, and not attempt TLS, and therefore not establish a HTTPS session, which is a bit of an inhibitor for working with REST.

 

The problem is that line 79 is forcing a TLS 1.0 connection. This is somewhat lame on our part - all versions of OCI 7.0.x, and OCI 7.1.0 speak TLS 1.[0-2]

 

The problem - OCI 7.1.1 will likely be TLS 1.2 only.

 

Change ssl_version=ssl.PROTOCOL_TLSv1 to ssl_version=ssl.PROTOCOL_TLSv1_2 to get ahead of this. Then test your integrations - we'd be pretty surprised if you noticed anything

 

#2. Recent Python 2.7 versions seem to have disabled RC4 based ciphers. This means these impacted versions will generate a handshake failed message when talking to OCI 7.0.2 and 7.1.0.

 

OCI 7.0.3 does not have this problem,  because we changed the default cipher.

 

It is possible to change OCI 7.0.2 / 7.1.0 to use

 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

 

On your OCI operational server, navigate to

..\SANscreen\jboss\server\onaro\deploy\jbossweb.sar

 

Make a backup of server.xml to a different location

 

Edit the server.xml, look for the line

 

ciphers = "SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA"

 

change to

 

ciphers = "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"

 

Save the file, restart the "SANscreen Server" service.