08-28-2015 11:44 AM
Hi, folks,
We are having issues connecting to our UCS management system using the Cisco UCS Python SDK from https://communities.cisco.com/docs/DOC-37174
Our system is a 64-bit CentOS 5.8 system with OpenSSL 0.9.8e-31.el5_11 and Python 2.4.3. We have the latest version of UcsSdk installed (0.8.3):
[root@]# python Python 2.4.3 (#1, Jun 18 2012, 08:55:23) [GCC 4.1.2 20080704 (Red Hat 4.1.2-52)] on linux2 Type "help", "copyright", "credits" or "license" for more information.
>>> import UcsSdk
>>> UcsSdk.__version__
'0.8.3'
We have also tried upgrading to openssl-0.9.8e-36.0.1.el5_11, but that had no effect on the issue.
The issue we have is that the SSL connection to our management URL is failing with an "EOF occurred in violation of protocol" error message. The full session is below (note that the actual UCS management IP and login information have been replaced with bogus values):
[root@]# python Python 2.4.3 (#1, Jun 18 2012, 08:55:23) [GCC 4.1.2 20080704 (Red Hat 4.1.2-52)] on linux2 Type "help", "copyright", "credits" or "license" for more information.
>>> from UcsSdk import *
>>> handle = UcsHandle()
>>> handle.Login("1.1.1.1", username="xxxxxx", password="xxxxxx",
>>> noSsl=False, port=443)
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "/usr/lib/python2.4/site-packages/UcsSdk/UcsHandle.py", line 362, in Login
response = self.AaaLogin(username, password, dumpXml)
File "/usr/lib/python2.4/site-packages/UcsSdk/UcsHandle.py", line 2373, in AaaLogin
response = self.XmlQuery(method, WriteXmlOption.Dirty, dumpXml)
File "/usr/lib/python2.4/site-packages/UcsSdk/UcsHandle.py", line 214, in XmlQuery
f = opener.open(req)
File "/usr/lib64/python2.4/urllib2.py", line 358, in open
response = self._open(req, data)
File "/usr/lib64/python2.4/urllib2.py", line 376, in _open
'_open', req)
File "/usr/lib64/python2.4/urllib2.py", line 337, in _call_chain
result = func(*args)
File "/usr/lib64/python2.4/urllib2.py", line 1126, in https_open
return self.do_open(httplib.HTTPSConnection, req)
File "/usr/lib64/python2.4/urllib2.py", line 1092, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error (8, 'EOF occurred in violation of protocol')>
I believe the issue is occurring because the UCS management interface is dropping SSL connections that try to negotiate with SSLv2/SSLv3 first, as we also get errors when trying to open a connection with the openssl s_client tool using the default configuration (which attempts an SSLv2/SSLv3 handshake first before trying TLS):
[root@]# openssl s_client -connect 1.1.1.1:443
CONNECTED(00000003)
14091:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
However, the connection is successful when using the -tls1 flag to force TLS:
[root@]# openssl s_client -tls1 -connect 1.1.1.1:443
CONNECTED(00000003)
depth=0 /CN=**************************
verify error:num=18:self signed certificate verify return:1
depth=0 /CN=**********************
verify return:1
---
Certificate chain
0 s:/CN=**************************
i:/CN=**************************
---
Server certificate
-----BEGIN CERTIFICATE-----
...
Does anyone have any suggested fixes or workarounds? We would prefer to avoid manually recompiling OpenSSL or making changes to standard Python modules, if possible, as we are implementing this SDK in our Nagios instance, which consists of quite a few servers.
Thanks!
08-31-2015 08:26 PM
Hi Dennis,
In case of any issues with ssl protocol or certificate validation issue, you can run the below method before importing UcsSdk as a workaround.
def sslWorkaround():
isVerifyCertificate = False
if not sys.version_info < (2, 6):
from functools import partial
import ssl
ssl.wrap_socket = partial(ssl.wrap_socket, ssl_version=ssl.PROTOCOL_TLSv1)
if not sys.version_info < (2, 7, 9) and not isVerifyCertificate:
ssl._create_default_https_context = ssl._create_unverified_context
Thanks
Rahul
12-30-2016 11:03 AM
Hi Rahul,
I have tried your suggestion but the same error appears, it there any other workaround.
ucs python SDK version i am using is ucsmsdk-0.9.1.1
Regards
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide