2016-11-08 03:29 AM - edited 2017-03-10 01:14 PM
I am developing some automation using Python and it worked very well with HTTP protocol, but I needed to use HTTPS instead. My scenario is:
All my filers use TLS
No SSL allowed due to SSL security issues
All my filers have self signed certificate
I tried a lot of thing until I finally I decided to make some change on NetApp SDK library. On file NaServer.py at line 431 instead of:
connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout)
I changed to
connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))
Now it works like a charm and I can run my program with HTTPS.
Very important: this solution was tested using Python 3.5.
Solved! SEE THE SOLUTION
2017-03-09 11:03 AM
This works for python 2.7 as well.
In my scenario i have netapps using TLS or SSLv3, so i created a seperate NaServer.py which specified SSLv3 instead:
connection = httplib.HTTPSConnection(server, port=self.port, timeout=self.timeout, context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))
Then in my phython script i import both as such:
from NaServer import * import NaServer_SSL3
Then just have a simple boolean variable that i set to use the other library:
def na_setup(netapp, sslv3=False): if sslv3: ss = NaServer_SSL3.NaServer(netapp, 1, 1) else: ss = NaServer(netapp, 1, 1) return ss
I tried monkey patching ssl._create_default_https_context a few times, but as my script makes a tong of other api calls, this was a bit outside my python comfort zone.
Also worth mentioning that i battled weak ciphers with older 7mode systems for a few days and finally found a combination that worked for all my netapps:
import ssl try: _create_unverified_https_context = ssl._create_unverified_context except AttributeError: pass else: ssl._create_default_https_context = _create_unverified_https_context ssl._DEFAULT_CIPHERS += ':RC4-SHA'
You got me on the right path.
2017-03-21 10:11 PM
I am using python 2.7.13 for connecting my 7-mode Filer using HTTPSConnection module like thisBut
connection = httplib.HTTPSConnection(server, port=443, timeout=300, context=ssl.SSLContext(ssl.PROTOCOL_TLSv1))
But I am getting an error:
(<class 'ssl.SSLError'>, SSLError(1, u'[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:676)'), <traceback object at 0x7ff7bb69d128>)
Can anyone help me what's wrong with it?
I can connect with the same code to Cluster-mode Filers but not 7-mode.
I have already enabled tls, ssl3 options on this Filer.
2017-03-22 09:54 AM
I would first try to generate a new certificate on one of the failing systems and make sure it's key length is the max (2048 i think). The python standard libraries disabled handshake's with key lengths shorter than 1024 (i believe that theres a bug where it actually only works with 2048 key lengths) a few years ago; version i think was somewhere around 2.6.9 or so.
You may also need to add to the default cipher list as i mentioned in my post above. I believe the order maters.
During my troubleshooting i has also installed the following packages, though i cant confirm if they contributed to my success:
pip install requests[security] urllib3
As a fall back, i have a python 2.6.6 install that i use to verify its not something more than the cert. Hope that helps.
2018-02-28 01:21 PM
Thanks. While adding that entry around line 433 in NaServer.py did the tricky for me.
It seems like its skipping the certificate validation altogether. I have a signed certificate and cannot get it work on my 7mode system.
The reason why I think its skipping cert validation is because I have wildcard based certificate and the connection goes through successfully irrespective of using fqdn or cname.
On a cdot system though, it works like a charm ( without having to make any edits to NaServer.py). When I connect using fqdn instead of cname to a cdot system, it throws a error saying invalid matching name for the certificate ( This error goes away when line 433 is added which again proves the fact that cert validation is disabled when that line is added).
Any suggestions is much appreciated,