06-17-2016 08:36 AM
Hi,
...we currently looking into DCNM-10 for a customer who's building a new datacenter. Focus will be on automation, where we want to program some stuff on top of DCNM REST API. We kind of successfully tested DCNM 7.2 and upgraded today to DCNM 10.
Problem: DCNM 10 comes with https-only Web-interface, but uses a very insecure Diffie-Hellman group for connection setup (768 bits). Unfortunately openssl, which is used by our python scripts, is not willing to set up a https connection based on the small DH group (needs at least 1024 bits I guess, recommends 2048).
openssl s_client shows:
bash# openssl s_client -connect localhost:8223
CONNECTED(00000003)
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Unknown
verify error:num=18:self signed certificate
verify return:1
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Unknown
verify return:1
140512820557464:error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small:s3_clnt.c:3617:
[...]
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 768 bits
---
SSL handshake has read 1549 bytes and written 7 bytes
[...]
python requests library gives us:
>>> resp = requests.post('https://localhost:8223/rest/logon', auth=('xxxx', 'xxxx'), data=json.dumps({'expirationTime': 1000000}), verify=False)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 111, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 57, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:590)
For the moment, we could live without https and use plain http as we did with dcnm 7.2 - but it seems like it's not possible to change back to HTTP ?
Is there any possibility to either turn on http again or change the used dh group ?
Thanks,
Andreas
12-21-2016 02:54 AM
Did you find the way to disable https on the web GUI?
12-21-2016 03:12 AM
Hi,
...no - as far as I remember, there's no way to get back http only (info from a cisco guy).
regards,
Andreas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide