Can't authenticate on Debian 9: WRONG_CURVE

Question

Can't authenticate on Debian 9: WRONG_CURVE

harrim4n opened this issue 5 years ago · 4 comments

I'm using lxd (installed from snap, version 4.2) and pylxd from pip (version 2.2.11) on Debian 9.12.
When I try to authenticate with client.authenticate() according to https://pylxd.readthedocs.io/en/latest/authentication.html, I get an error from ssl.
ssl.SSLError: [SSL: WRONG_CURVE] wrong curve (_ssl.c:720)
From what I can see, this is because of a change in openssl, but I'm not sure how to fix this.
OpenSSL version is 1.1.01-1~deb9u1

Answer 1 · 2020-06-15T11:16:53.000Z

What's the python version on Debian 9? (I think it's Py3.5?). If so, you are probably hitting https://bugs.python.org/issue31809. If it is py35, can you try with a more recent version?

Answer 2 · 2020-06-15T18:13:35.000Z

Yes, Python version is 3.5. Can confirm that Python 3.6 works fine. However, IMO, it's not really an option to install Python3.6 on Debian 9. The package would have to be maintained manually, as no prebuilt version of 3.6 exists for Debian (afaik) as Debian 10 uses Py3.7.

Answer 3 · 2020-06-15T18:48:10.000Z

I don't think you can fix this using Debian 9 / Python 3.5 packages as it appears to be an issue with Python35 and the version of SSL that ships with Debian 9 ... i.e. it's not an pylxd issue. You might be able to build a custom OpenSSL that doesn't have the issue, or upgrade to Python > 3.5.

Answer 4 · 2020-06-15T18:59:59.000Z

Yes, a fix is probably not possible in pylxd. However, a change in LXD (i.e., the addition of a non-elliptic curve cipher) should fix the issue, right? According to testssl, currently only ECDHE-ECDSA-AES* ciphers are enabled, which is odd, because according to the source in lxd/network.go, RSA ciphers should be supported. I'll file an issue in the other repo, thanks.