Encrypted Connection Not Working

Question

Encrypted Connection Not Working

Closed this issue 4 years ago · 12 comments

Hi,

I'm using Python 3.6.9 with librouteros 3.0.0. I'm getting the following error when I try to connect to a remote Mikrotik with encryption (I'm a Python novice so please excuse any rookie mistakes):

root@localhost:~# python3 ssl.py 
Traceback (most recent call last):
  File "ssl.py", line 3, in <module>
    import ssl
  File "/root/ssl.py", line 6, in <module>
    ctx = ssl.create_default_context()
AttributeError: module 'ssl' has no attribute 'create_default_context'

I'm using the code provided in the documentation:

import ssl
from librouteros import connect

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.set_ciphers('ADH:@SECLEVEL=0')
api = connect(
    username='admin',
    password='abc',
    host='some.address.com',
    ssl_wrapper=ctx.wrap_socket,
    port=8729
    )

Unencrypted connection works fine.

Answer 1 · 2020-03-03T18:31:56.000Z

This is not the code you've executed. Line 6 != ctx = ssl.create_default_context()

Answer 2 · 2020-03-04T03:13:31.000Z

Here is the actual code I'm using in file ssl.py:

#!/usr/bin/python

import ssl
from librouteros import connect

ctx = ssl.create_default_context()
ctx.check_hostname = False
ctx.set_ciphers('ADH:@SECLEVEL=0')
api = connect(
    username='<username>',
    password='<password>',
    host='<ip>',
    ssl_wrapper=ctx.wrap_socket,
    port=8729
    )

ips = api.path('ip', 'address')
tuple(ips)
for item in ips:
    print(item)

Answer 3 · 2020-03-04T11:13:26.000Z

#!/usr/bin/python != #!/usr/bin/python3

Python 3.6 has create_default_context function.

Answer 4 · 2020-03-04T11:18:38.000Z

Updated to #!/usr/bin/python3 but still getting the same error.

Answer 5 · 2020-03-04T11:52:18.000Z

What does python --version show ?
What OS ?

Answer 6 · 2020-03-04T12:01:15.000Z

OS is Ubuntu 18.04.3

root@localhost:~# python --version 
Python 2.7.17
root@localhost:~# python3 --version
Python 3.6.9
root@localhost:~# pip3 list | grep SSL
pyOpenSSL           19.1.0

Answer 7 · 2020-03-05T16:18:42.000Z

Examples are for python builtin ssl module, not for pyOpenSSL

Answer 8 · 2020-03-09T03:50:50.000Z

Removed pyOpenSSL but the error still persists. Perhaps it's related to the OpenSSL version on the system?

root@localhost:~# apt list --installed | grep ssl

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.


libssl1.0.0/bionic-updates,bionic-security,now 1.0.2n-1ubuntu5.3 amd64 [installed]
libssl1.1/bionic-updates,bionic-security,now 1.1.1-1ubuntu2.1~18.04.5 amd64 [installed]
libxmlsec1-openssl/bionic,now 1.2.25-1build1 amd64 [installed,automatic]
openssl/bionic-updates,bionic-security,now 1.1.1-1ubuntu2.1~18.04.5 amd64 [installed]
python3-openssl/bionic,bionic,now 17.5.0-1ubuntu1 all [installed]
ssl-cert/bionic,bionic,now 1.0.39 all [installed,automatic]

Answer 9 · 2020-03-09T14:27:26.000Z

ssl module is in pythons stdlib.

Answer 10 · 2020-03-09T14:31:18.000Z

run this code for python and python3:

import ssl
print(dir(ssl))

and paste output

Answer 11 · 2020-03-10T09:27:48.000Z

The issue got resolved after changing the filename from ssl.py to a different name! Now it's working fine, thanks a lot for your support.

Answer 12 · 2020-03-10T09:28:56.000Z

Just for reference, here's the output you'd asked for:

root@localhost:~# python3 abc.py 
['AF_INET', 'ALERT_DESCRIPTION_ACCESS_DENIED', 'ALERT_DESCRIPTION_BAD_CERTIFICATE', 'ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE', 'ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE', 'ALERT_DESCRIPTION_BAD_RECORD_MAC', 'ALERT_DESCRIPTION_CERTIFICATE_EXPIRED', 'ALERT_DESCRIPTION_CERTIFICATE_REVOKED', 'ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN', 'ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE', 'ALERT_DESCRIPTION_CLOSE_NOTIFY', 'ALERT_DESCRIPTION_DECODE_ERROR', 'ALERT_DESCRIPTION_DECOMPRESSION_FAILURE', 'ALERT_DESCRIPTION_DECRYPT_ERROR', 'ALERT_DESCRIPTION_HANDSHAKE_FAILURE', 'ALERT_DESCRIPTION_ILLEGAL_PARAMETER', 'ALERT_DESCRIPTION_INSUFFICIENT_SECURITY', 'ALERT_DESCRIPTION_INTERNAL_ERROR', 'ALERT_DESCRIPTION_NO_RENEGOTIATION', 'ALERT_DESCRIPTION_PROTOCOL_VERSION', 'ALERT_DESCRIPTION_RECORD_OVERFLOW', 'ALERT_DESCRIPTION_UNEXPECTED_MESSAGE', 'ALERT_DESCRIPTION_UNKNOWN_CA', 'ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY', 'ALERT_DESCRIPTION_UNRECOGNIZED_NAME', 'ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE', 'ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION', 'ALERT_DESCRIPTION_USER_CANCELLED', 'AlertDescription', 'CERT_NONE', 'CERT_OPTIONAL', 'CERT_REQUIRED', 'CHANNEL_BINDING_TYPES', 'CertificateError', 'DER_cert_to_PEM_cert', 'DefaultVerifyPaths', 'HAS_ALPN', 'HAS_ECDH', 'HAS_NPN', 'HAS_SNI', 'HAS_TLSv1_3', 'MemoryBIO', 'OPENSSL_VERSION', 'OPENSSL_VERSION_INFO', 'OPENSSL_VERSION_NUMBER', 'OP_ALL', 'OP_CIPHER_SERVER_PREFERENCE', 'OP_ENABLE_MIDDLEBOX_COMPAT', 'OP_NO_COMPRESSION', 'OP_NO_SSLv2', 'OP_NO_SSLv3', 'OP_NO_TICKET', 'OP_NO_TLSv1', 'OP_NO_TLSv1_1', 'OP_NO_TLSv1_2', 'OP_NO_TLSv1_3', 'OP_SINGLE_DH_USE', 'OP_SINGLE_ECDH_USE', 'Options', 'PEM_FOOTER', 'PEM_HEADER', 'PEM_cert_to_DER_cert', 'PROTOCOL_SSLv23', 'PROTOCOL_TLS', 'PROTOCOL_TLS_CLIENT', 'PROTOCOL_TLS_SERVER', 'PROTOCOL_TLSv1', 'PROTOCOL_TLSv1_1', 'PROTOCOL_TLSv1_2', 'Purpose', 'RAND_add', 'RAND_bytes', 'RAND_pseudo_bytes', 'RAND_status', 'SOCK_STREAM', 'SOL_SOCKET', 'SO_TYPE', 'SSLContext', 'SSLEOFError', 'SSLError', 'SSLErrorNumber', 'SSLObject', 'SSLSession', 'SSLSocket', 'SSLSyscallError', 'SSLWantReadError', 'SSLWantWriteError', 'SSLZeroReturnError', 'SSL_ERROR_EOF', 'SSL_ERROR_INVALID_ERROR_CODE', 'SSL_ERROR_SSL', 'SSL_ERROR_SYSCALL', 'SSL_ERROR_WANT_CONNECT', 'SSL_ERROR_WANT_READ', 'SSL_ERROR_WANT_WRITE', 'SSL_ERROR_WANT_X509_LOOKUP', 'SSL_ERROR_ZERO_RETURN', 'VERIFY_CRL_CHECK_CHAIN', 'VERIFY_CRL_CHECK_LEAF', 'VERIFY_DEFAULT', 'VERIFY_X509_STRICT', 'VERIFY_X509_TRUSTED_FIRST', 'VerifyFlags', 'VerifyMode', '_ASN1Object', '_DEFAULT_CIPHERS', '_Enum', '_IntEnum', '_IntFlag', '_OPENSSL_API_VERSION', '_PROTOCOL_NAMES', '_RESTRICTED_SERVER_CIPHERS', '_SSLContext', '_SSLMethod', '_SSLv2_IF_EXISTS', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__spec__', '_create_default_https_context', '_create_stdlib_context', '_create_unverified_context', '_dnsname_match', '_ipaddress_match', '_nid2obj', '_ssl', '_txt2obj', 'base64', 'cert_time_to_seconds', 'create_connection', 'create_default_context', 'errno', 'get_default_verify_paths', 'get_protocol_name', 'get_server_certificate', 'ipaddress', 'match_hostname', 'namedtuple', 'os', 're', 'socket', 'socket_error', 'sys', 'textwrap', 'warnings', 'wrap_socket']

root@localhost:~# python abc.py 
['AF_INET', 'ALERT_DESCRIPTION_ACCESS_DENIED', 'ALERT_DESCRIPTION_BAD_CERTIFICATE', 'ALERT_DESCRIPTION_BAD_CERTIFICATE_HASH_VALUE', 'ALERT_DESCRIPTION_BAD_CERTIFICATE_STATUS_RESPONSE', 'ALERT_DESCRIPTION_BAD_RECORD_MAC', 'ALERT_DESCRIPTION_CERTIFICATE_EXPIRED', 'ALERT_DESCRIPTION_CERTIFICATE_REVOKED', 'ALERT_DESCRIPTION_CERTIFICATE_UNKNOWN', 'ALERT_DESCRIPTION_CERTIFICATE_UNOBTAINABLE', 'ALERT_DESCRIPTION_CLOSE_NOTIFY', 'ALERT_DESCRIPTION_DECODE_ERROR', 'ALERT_DESCRIPTION_DECOMPRESSION_FAILURE', 'ALERT_DESCRIPTION_DECRYPT_ERROR', 'ALERT_DESCRIPTION_HANDSHAKE_FAILURE', 'ALERT_DESCRIPTION_ILLEGAL_PARAMETER', 'ALERT_DESCRIPTION_INSUFFICIENT_SECURITY', 'ALERT_DESCRIPTION_INTERNAL_ERROR', 'ALERT_DESCRIPTION_NO_RENEGOTIATION', 'ALERT_DESCRIPTION_PROTOCOL_VERSION', 'ALERT_DESCRIPTION_RECORD_OVERFLOW', 'ALERT_DESCRIPTION_UNEXPECTED_MESSAGE', 'ALERT_DESCRIPTION_UNKNOWN_CA', 'ALERT_DESCRIPTION_UNKNOWN_PSK_IDENTITY', 'ALERT_DESCRIPTION_UNRECOGNIZED_NAME', 'ALERT_DESCRIPTION_UNSUPPORTED_CERTIFICATE', 'ALERT_DESCRIPTION_UNSUPPORTED_EXTENSION', 'ALERT_DESCRIPTION_USER_CANCELLED', 'CERT_NONE', 'CERT_OPTIONAL', 'CERT_REQUIRED', 'CHANNEL_BINDING_TYPES', 'CertificateError', 'DER_cert_to_PEM_cert', 'DefaultVerifyPaths', 'HAS_ALPN', 'HAS_ECDH', 'HAS_NPN', 'HAS_SNI', 'HAS_TLSv1_3', 'OPENSSL_VERSION', 'OPENSSL_VERSION_INFO', 'OPENSSL_VERSION_NUMBER', 'OP_ALL', 'OP_CIPHER_SERVER_PREFERENCE', 'OP_ENABLE_MIDDLEBOX_COMPAT', 'OP_NO_COMPRESSION', 'OP_NO_SSLv2', 'OP_NO_SSLv3', 'OP_NO_TLSv1', 'OP_NO_TLSv1_1', 'OP_NO_TLSv1_2', 'OP_NO_TLSv1_3', 'OP_SINGLE_DH_USE', 'OP_SINGLE_ECDH_USE', 'PEM_FOOTER', 'PEM_HEADER', 'PEM_cert_to_DER_cert', 'PROTOCOL_SSLv23', 'PROTOCOL_TLS', 'PROTOCOL_TLSv1', 'PROTOCOL_TLSv1_1', 'PROTOCOL_TLSv1_2', 'Purpose', 'RAND_add', 'RAND_status', 'SOCK_STREAM', 'SOL_SOCKET', 'SO_TYPE', 'SSLContext', 'SSLEOFError', 'SSLError', 'SSLSocket', 'SSLSyscallError', 'SSLWantReadError', 'SSLWantWriteError', 'SSLZeroReturnError', 'SSL_ERROR_EOF', 'SSL_ERROR_INVALID_ERROR_CODE', 'SSL_ERROR_SSL', 'SSL_ERROR_SYSCALL', 'SSL_ERROR_WANT_CONNECT', 'SSL_ERROR_WANT_READ', 'SSL_ERROR_WANT_WRITE', 'SSL_ERROR_WANT_X509_LOOKUP', 'SSL_ERROR_ZERO_RETURN', 'VERIFY_CRL_CHECK_CHAIN', 'VERIFY_CRL_CHECK_LEAF', 'VERIFY_DEFAULT', 'VERIFY_X509_STRICT', 'VERIFY_X509_TRUSTED_FIRST', '_ASN1Object', '_DEFAULT_CIPHERS', '_OPENSSL_API_VERSION', '_PROTOCOL_NAMES', '_RESTRICTED_SERVER_CIPHERS', '_SSLContext', '_SSLv2_IF_EXISTS', '__builtins__', '__doc__', '__file__', '__name__', '__package__', '_create_default_https_context', '_create_stdlib_context', '_create_unverified_context', '_delegate_methods', '_dnsname_match', '_fileobject', '_get_https_context_factory', '_https_verify_certificates', '_https_verify_envvar', '_import_symbols', '_nid2obj', '_ssl', '_txt2obj', 'base64', 'cert_time_to_seconds', 'closing', 'create_connection', 'create_default_context', 'errno', 'get_default_verify_paths', 'get_protocol_name', 'get_server_certificate', 'match_hostname', 'namedtuple', 'os', 're', 'socket', 'socket_error', 'sslwrap_simple', 'sys', 'textwrap', 'warnings', 'wrap_socket']