Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not able to use JSS_importer after logjam updates #42

Closed
novaksam opened this issue Jul 21, 2015 · 4 comments
Closed

Not able to use JSS_importer after logjam updates #42

novaksam opened this issue Jul 21, 2015 · 4 comments

Comments

@novaksam
Copy link
Contributor

I recently had a JAMF health checkup and we updated the ciphers for Tomcat to get around the Logjam problem (see https://jamfnation.jamfsoftware.com/article.html?id=384), but now I'm not able to push any JSS recipes!

Processing local.jss.AdobeAIR...
Traceback (most recent call last):
  File "/usr/local/bin/autopkg", line 1651, in <module>
    sys.exit(main(sys.argv))
  File "/usr/local/bin/autopkg", line 1645, in main
    exit(subcommands[verb]['function'](argv))
  File "/usr/local/bin/autopkg", line 1458, in run_recipes
    autopackager.process(recipe)
  File "/Library/AutoPkg/autopkglib/__init__.py", line 470, in process
    self.env = processor.process()
  File "/Library/AutoPkg/autopkglib/__init__.py", line 299, in process
    self.main()
  File "/Library/AutoPkg/autopkglib/JSSImporter.py", line 866, in main
    suppress_warnings=suppress_warnings)
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/jss.py", line 167, in __init__
    self.distribution_points = distribution_points.DistributionPoints(self)
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/distribution_points.py", line 91, in __init__
    self.dp_info = self.jss.DistributionPoint().retrieve_all()
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/jss.py", line 324, in DistributionPoint
    return self.factory.get_object(DistributionPoint, data)
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/jss.py", line 475, in get_object
    result = self.jss.get(url)
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/jss.py", line 197, in get
    response = self.session.get(url)
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/contrib/requests/sessions.py", line 473, in get
    return self.request('GET', url, **kwargs)
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/contrib/requests/sessions.py", line 461, in request
    resp = self.send(prep, **send_kwargs)
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/contrib/requests/sessions.py", line 573, in send
    r = adapter.send(request, **kwargs)
  File "/Library/Python/2.7/site-packages/python_jss-1.1.0-py2.7.egg/jss/contrib/requests/adapters.py", line 431, in send
    raise SSLError(e, request=request)
jss.contrib.requests.exceptions.SSLError: [Errno 1] _ssl.c:507: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Using the builtin openssl to view the cert doesn't work, but using an updated one from Macports does.

{HOST}:~ {user}$ /usr/bin/openssl s_client -connect {JSS}:8443
CONNECTED(00000003)
94134:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/ssl/s23_clnt.c:618:

{HOST}:~ {user}$ /usr/bin/openssl s_client -tls1 -connect {JSS}:8443
CONNECTED(00000003)
94136:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/ssl/s3_pkt.c:1145:SSL alert number 40
94136:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.30.1/src/ssl/s3_pkt.c:566:

{HOST}:~ {user}$ /opt/local/bin/openssl s_client -connect {JSS}:8443
[[ Lots of other, unimportant info ]]
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated

I've disabled SSL_VERIFY and otherwise done every suggestion I've been able to find. I also tried updating the openssl on my autopkg'ing machine but it didn't seem to work, even after a reboot.
@sheagcraig
Copy link
Collaborator

Yep! That's the issue I'm literally working on right now.

The code in the testing branch reflects my proposed changes. I'd post a "beta" egg/wheel but figuring out how to do that might take more time than just making the fixes. If you dm me on twitter I can send you the dropbox link for the current testing version if you want to be a tester.

@novaksam
Copy link
Contributor Author

I'm testing it in place of my existing pip installation :)

I did have to install request and ndg-httpsclient, and distutils/version.py didn't like the 'rc2' in the init.py, but once I got rid of that everything (appears to be) running fine.

@sheagcraig
Copy link
Collaborator

Well, in that case, proceed.

According to pypi.python.org, the recommended naming scheme is as above (the rc2). But obviously distutils doesn't like that. This is the first time I've released a testing version, so I'll have to look more closely at that. In the meantime, as I'm sure you discovered, just drop the rc2 from the version in jss/init.py and it will work fine.

@sheagcraig
Copy link
Collaborator

Fixed in 1.2.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@novaksam @sheagcraig