Active IQ Unified Manager Discussions

Soap https broken

francoisbnc
10,874 Views

I experience an issue when I tried to call WFA workflows through https soap call in python.

Basically I receive

 

requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure in ssl python module

>>> print (ssl.OPENSSL_VERSION)
OpenSSL 1.0.2k 26 Jan 2017

 

 

I think is related to wfa broken https communication, I can see with Chrome in Security Overview when connected though https interface

 

Obsolete Connection Settings
The connection to this site uses a strong protocol (TLS 1.2), an obsolete key exchange (RSA), and an obsolete cipher (3DES_EDE_CBC with HMAC-SHA1).

Is there a way to change the cipher and key exchange on WFA server side.

 

Same issue with WFA 4.0 and WFA 4.1RC1

 

 

Any help appreciated

 

 
1 ACCEPTED SOLUTION

ag
NetApp
10,641 Views

Can you try adding 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' to enabled-cipher-suites attribute of the https-listeners property in urn:jboss:domain:undertow:1.2 subsystem configuration in the <WFA_install_location>\WFA\jboss\standalone\configuration\standalone-full.xml.

View solution in original post

8 REPLIES 8

anuk
10,712 Views

Hi,

    SSLv3 is disabled in WFA server from 3.0GA onwards due to security reasons. Hence the connection failure. TLSv1,TLSv1.1,TLSv1.2 are the supported protocols. Could you please try to connect with the supported protocols.

 

Thanks and Regards

Anu

francoisbnc
10,677 Views

I do my connection via TLS1_2

Broken https  is not relayed to SSLv3, but weak tls cipher, find  the supported ciphers  (all are obsolete)

 

SCAN RESULTS FOR ITS-WFADEV.SWATCHGROUP.NET:443 - 10.140.16.45
 --------------------------------------------------------------

  * Deflate Compression:
                                         OK - Compression disabled

  * Certificate Basic Information:
      SHA1 Fingerprint:                  3aba9c83639b784b0fefa41bc7efed51d8e01f14
      Common Name:                       GDC01249.swatchgroup.net
      Issuer:                            GDC01249.swatchgroup.net
      Serial Number:                     6556000F
      Not Before:                        Apr 18 14:32:11 2016 GMT
      Not After:                         Apr 18 14:32:11 2019 GMT
      Signature Algorithm:               sha256WithRSAEncryption
      Public Key Algorithm:              rsaEncryption
      Key Size:                          2048
      Exponent:                          65537 (0x10001)

  * Certificate - Trust:
      Hostname Validation:               FAILED - Certificate does NOT match its-wfadev.swatchgroup.net
      Apple CA Store (OS X 10.11.6):     FAILED - Certificate is NOT Trusted: self signed certificate
      AOSP CA Store (7.0.0 r1):          FAILED - Certificate is NOT Trusted: self signed certificate
      Mozilla CA Store (09/2016):        FAILED - Certificate is NOT Trusted: self signed certificate
      Java 7 CA Store (Update 79):       FAILED - Certificate is NOT Trusted: self signed certificate
      Microsoft CA Store (09/2016):      FAILED - Certificate is NOT Trusted: self signed certificate
      Received Chain:                    GDC01249.swatchgroup.net
      Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
      Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
      Received Chain Order:              OK - Order is valid
      Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

  * Certificate - OCSP Stapling:
                                         NOT SUPPORTED - Server did not send back an OCSP response.

  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

  * Session Renegotiation:
      Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
      Secure Renegotiation:              OK - Supported

  * OpenSSL CCS Injection:
                                         OK - Not vulnerable to OpenSSL CCS injection

  * TLSV1_1 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * Resumption Rate:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  NOT SUPPORTED - TLS ticket not assigned.

  * TLSV1_2 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * Downgrade Attacks:
      TLS_FALLBACK_SCSV:                 OK - Supported

  * TLSV1 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

 

 

francoisbnc
10,691 Views

I do soap call via TLS so problem is not relayed to SSLv3, but weak cipher used in wfa server.

 

 

SCAN RESULTS FOR ITS-WFADEV.SWATCHGROUP.NET:443 - 10.140.16.45
 --------------------------------------------------------------

  * Deflate Compression:
                                         OK - Compression disabled

  * TLSV1_2 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * SSLV2 Cipher Suites:
      Server rejected all cipher suites.

  * Session Renegotiation:
      Client-initiated Renegotiation:    VULNERABLE - Server honors client-initiated renegotiations
      Secure Renegotiation:              OK - Supported

  * OpenSSL CCS Injection:
                                         OK - Not vulnerable to OpenSSL CCS injection

  * Certificate Basic Information:
      SHA1 Fingerprint:                  3aba9c83639b784b0fefa41bc7efed51d8e01f14
      Common Name:                       GDC01249.swatchgroup.net
      Issuer:                            GDC01249.swatchgroup.net
      Serial Number:                     6556000F
      Not Before:                        Apr 18 14:32:11 2016 GMT
      Not After:                         Apr 18 14:32:11 2019 GMT
      Signature Algorithm:               sha256WithRSAEncryption
      Public Key Algorithm:              rsaEncryption
      Key Size:                          2048
      Exponent:                          65537 (0x10001)

  * Certificate - Trust:
      Hostname Validation:               FAILED - Certificate does NOT match its-wfadev.swatchgroup.net
      Microsoft CA Store (09/2016):      FAILED - Certificate is NOT Trusted: self signed certificate
      Apple CA Store (OS X 10.11.6):     FAILED - Certificate is NOT Trusted: self signed certificate
      AOSP CA Store (7.0.0 r1):          FAILED - Certificate is NOT Trusted: self signed certificate
      Java 7 CA Store (Update 79):       FAILED - Certificate is NOT Trusted: self signed certificate
      Mozilla CA Store (09/2016):        FAILED - Certificate is NOT Trusted: self signed certificate
      Received Chain:                    GDC01249.swatchgroup.net
      Verified Chain:                    ERROR - Could not build verified chain (certificate untrusted?)
      Received Chain Contains Anchor:    ERROR - Could not build verified chain (certificate untrusted?)
      Received Chain Order:              OK - Order is valid
      Verified Chain contains SHA1:      ERROR - Could not build verified chain (certificate untrusted?)

  * Certificate - OCSP Stapling:
                                         NOT SUPPORTED - Server did not send back an OCSP response.

  * TLSV1_1 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * TLSV1 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 

  * Resumption Rate:
      With Session IDs:                  OK - Supported (5 successful, 0 failed, 0 errors, 5 total attempts).
      With TLS Tickets:                  NOT SUPPORTED - TLS ticket not assigned.

  * Downgrade Attacks:
      TLS_FALLBACK_SCSV:                 OK - Supported

  * SSLV3 Cipher Suites:
      Server rejected all cipher suites.

Server only accept

TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

there are actually obsolete regarding Chrome security tab

2017-04-04_134353.png

 

 

sinhaa
10,673 Views

@francoisbnc

 

Very interesting. Now we need to look at it and update you, its not a regular issue.

 

Its is possible to give the code snip of your python code which you have been trying and the error is thrown.

 

 

sinhaa

 

If this post resolved your issue, help others by selecting ACCEPT AS SOLUTION or adding a KUDO.

francoisbnc
10,669 Views

i use zeep python module to handle SOAP requests, unfortunatly I can't run this with python3 in https, because of  handshake failure at Client() init class.

 

here is a part of the code.

 

from requests import Session
from requests.auth import HTTPBasicAuth
from zeep import Client
from zeep.transports import Transport
import base64

WORKFLOW = 'ITS - SAP Refresh Test'

uname = 'user'
password = 'pass'

urlwsdl = 'https://its-wfadev.swatchgroup.net/wfa-ws/WorkflowService_rpc?wsdl'

session = Session()
session.auth = HTTPBasicAuth(uname, password)

client = Client(wsdl=urlwsdl, transport=Transport(session=session))
workflows = client.service.getAllWorkflows()

ag
NetApp
10,642 Views

Can you try adding 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256' to enabled-cipher-suites attribute of the https-listeners property in urn:jboss:domain:undertow:1.2 subsystem configuration in the <WFA_install_location>\WFA\jboss\standalone\configuration\standalone-full.xml.

ag
NetApp
10,637 Views

Don't forget to restart WFA service after making the changes

francoisbnc
10,592 Views

You rock, new  cipher is now available.

  * TLSV1_2 Cipher Suites:
      Preferred:                       
        None - Server followed client cipher suite preference.                                                            
      Accepted:                        
        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256             ECDH-570 bits  128 bits      HTTP 200 OK                                                 
        TLS_RSA_WITH_3DES_EDE_CBC_SHA                     -              112 bits      HTTP 200 OK                                                 
        TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA                 DH-2048 bits   112 bits      HTTP 200 OK                                                 

code is working well now.

 

Thanks!

Public