Hi, folks,
We are having issues connecting to our UCS management system using the Cisco UCS Python SDK from https://communities.cisco.com/docs/DOC-37174
Our system is a 64-bit CentOS 5.8 system with OpenSSL 0.9.8e-31.el5_11 and Python 2.4.3. We have the latest version of UcsSdk installed (0.8.3):
[root@]# python Python 2.4.3 (#1, Jun 18 2012, 08:55:23) [GCC 4.1.2 20080704 (Red Hat 4.1.2-52)] on linux2 Type "help", "copyright", "credits" or "license" for more information.
>>> import UcsSdk
>>> UcsSdk.__version__
'0.8.3'
We have also tried upgrading to openssl-0.9.8e-36.0.1.el5_11, but that had no effect on the issue.
The issue we have is that the SSL connection to our management URL is failing with an "EOF occurred in violation of protocol" error message. The full session is below (note that the actual UCS management IP and login information have been replaced with bogus values):
[root@]# python Python 2.4.3 (#1, Jun 18 2012, 08:55:23) [GCC 4.1.2 20080704 (Red Hat 4.1.2-52)] on linux2 Type "help", "copyright", "credits" or "license" for more information.
>>> from UcsSdk import *
>>> handle = UcsHandle()
>>> handle.Login("1.1.1.1", username="xxxxxx", password="xxxxxx",
>>> noSsl=False, port=443)
Traceback (most recent call last):
File "<stdin>", line 1, in ?
File "/usr/lib/python2.4/site-packages/UcsSdk/UcsHandle.py", line 362, in Login
response = self.AaaLogin(username, password, dumpXml)
File "/usr/lib/python2.4/site-packages/UcsSdk/UcsHandle.py", line 2373, in AaaLogin
response = self.XmlQuery(method, WriteXmlOption.Dirty, dumpXml)
File "/usr/lib/python2.4/site-packages/UcsSdk/UcsHandle.py", line 214, in XmlQuery
f = opener.open(req)
File "/usr/lib64/python2.4/urllib2.py", line 358, in open
response = self._open(req, data)
File "/usr/lib64/python2.4/urllib2.py", line 376, in _open
'_open', req)
File "/usr/lib64/python2.4/urllib2.py", line 337, in _call_chain
result = func(*args)
File "/usr/lib64/python2.4/urllib2.py", line 1126, in https_open
return self.do_open(httplib.HTTPSConnection, req)
File "/usr/lib64/python2.4/urllib2.py", line 1092, in do_open
raise URLError(err)
urllib2.URLError: <urlopen error (8, 'EOF occurred in violation of protocol')>
I believe the issue is occurring because the UCS management interface is dropping SSL connections that try to negotiate with SSLv2/SSLv3 first, as we also get errors when trying to open a connection with the openssl s_client tool using the default configuration (which attempts an SSLv2/SSLv3 handshake first before trying TLS):
[root@]# openssl s_client -connect 1.1.1.1:443
CONNECTED(00000003)
14091:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
However, the connection is successful when using the -tls1 flag to force TLS:
[root@]# openssl s_client -tls1 -connect 1.1.1.1:443
CONNECTED(00000003)
depth=0 /CN=**************************
verify error:num=18:self signed certificate verify return:1
depth=0 /CN=**********************
verify return:1
---
Certificate chain
0 s:/CN=**************************
i:/CN=**************************
---
Server certificate
-----BEGIN CERTIFICATE-----
...
Does anyone have any suggested fixes or workarounds? We would prefer to avoid manually recompiling OpenSSL or making changes to standard Python modules, if possible, as we are implementing this SDK in our Nagios instance, which consists of quite a few servers.
Thanks!
