alien.py fails to connect on second go
Hi,
When executing
alien.py
first time, it prompts for the certificate password and then writes the temporary token files to /tmp/tokencert_uid.pem
and /tmp/tokenkey_uid.pem
. However, on the second execution of
alien.py
it fails with
Could not get a websocket connection, exiting..
Enabling debugging with ALIENJS_DEBUG=1 alien.py
I see in the log file
INFO:root:Request connection to : alice-jcentral.cern.ch:8097/websocket/json
DEBUG:root:TRY ENDPOINT: alice-jcentral.cern.ch:8097
DEBUG:root:TCP SOCKET BEGIN: 1581005066.962628
DEBUG:root:TCP SOCKET END: 1581005067.00341
DEBUG:root:TCP SOCKET DELTA: 40.782 ms
INFO:root:GOT SOCKET TO: 137.138.99.136
DEBUG:root:WEBSOCKET BEGIN: 1581005067.003637
DEBUG:websockets.protocol:client - state = CONNECTING
DEBUG:root:Traceback (most recent call last):
File "./alien.py", line 1383, in wb_create
max_queue=QUEUE_SIZE, max_size=MSG_SIZE, ping_interval=PING_INTERVAL, ping_timeout=PING_TIMEOUT, close_timeout=CLOSE_TIMEOUT)
File "/usr/lib/python3/dist-packages/websockets/client.py", line 535, in __await_impl__
transport, protocol = await self._create_connection()
File "/usr/lib/python3.7/asyncio/base_events.py", line 985, in create_connection
ssl_handshake_timeout=ssl_handshake_timeout)
File "/usr/lib/python3.7/asyncio/base_events.py", line 1013, in _create_connection_transport
await waiter
File "/usr/lib/python3.7/asyncio/sslproto.py", line 530, in data_received
ssldata, appdata = self._sslpipe.feed_ssldata(data)
File "/usr/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
self._sslobj.do_handshake()
File "/usr/lib/python3.7/ssl.py", line 774, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CA_KEY_TOO_SMALL] ca key too small (_ssl.c:1076)
INFO:root:Could NOT establish websocket connection to 137.138.99.136:8097
DEBUG:root:We tried on alice-jcentral.cern.ch:8097/websocket/json 3 times
ERROR:root:Could not get a websocket connection, exiting..
Reading a bit on the web, I see this has to do with the certificate (in /tmp/tokencern_uid.pem
) is too small - for example
https://github.com/debauchee/barrier/issues/126 https://serverfault.com/questions/957931/openssl-allow-usage-of-insecure-client-certs
It seems that the written files in /tmp
have 1024 bit keys while my own key is 2048 bit. If I change
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=2
in /etc/ssl/openssl.conf
on the client machine to
[system_default_sect]
MinProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1
(SECLEVEL
set to 1), then it works. As far as I can tell from the code, the server is responding back with the certificate and key written to /tmp/token..._uid.pem
, so it could be a problem on the server side of things.
Alternatively, setting the protocol to TLS v1.2 fixes the issue - i.e., in line 1316 of alien.py
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
Yours,
Christian