pskwrapper: ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007) #7
Description
Hi,
I have a zabbix 6.4 proxy running in a docker container with this config:
- TLSACCEPT=psk - TLSCONNECT=psk - TLSPSKIDENTITY=PSK001 - TLSPSKFILE=/var/lib/zabbix/enc/psk-file.psk When testing if I can connect to the proxy using openssl, I use:
openssl s_client -no_tls1_3 -connect 192.168.1.1:10056 -psk_identity 'PSK001' -psk '<my psk>' Connecting to 192.168.1.1 CONNECTED(00000180) Can't use SSL_get_servername --- no peer certificate available --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 242 bytes and written 418 bytes Verification: OK --- New, TLSv1.0, Cipher is ECDHE-PSK-AES128-CBC-SHA256 Secure Renegotiation IS supported No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-PSK-AES128-CBC-SHA256 Session-ID: Session-ID-ctx: Master-Key: <a master key> PSK identity: PSK001 PSK identity hint: None SRP username: None Start Time: 1707658392 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: yes --- closed When when I run the psk_wrapper.py (from a Windows 11 machine) I got the error:
File "C:\Python\Python310\lib\ssl.py", line 1342, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1007) python-BaseException psk and pskidentity are the same as used in the openssl
Python 3.10.11 pyOpenSSL 23.3.0 sslpsk3 1.1.1 zabbix-utils 1.1.0 When running the psk_wrapper from a Raspberry 4 (Linux 6.1.41-v8+ #1667 SMP PREEMPT Wed Jul 26 17:59:29 BST 2023 aarch64 GNU/Linux) I got the Error:
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_RECORD_MAC] sslv3 alert bad record mac (_ssl.c:1123) Is there a way I can configure -no_tls1_3 in the wrapper (not sure if this would fix things)?
Any help would be appreciated.
Theo