8000 Unable To Setup NameCheapDNS Component Due To SSL Handshake Error · Issue #15512 · home-assistant/core · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Unable To Setup NameCheapDNS Component Due To SSL Handshake Error #15512

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dshokouhi opened this issue Jul 17, 2018 · 10 comments · Fixed by #15546
Closed

Unable To Setup NameCheapDNS Component Due To SSL Handshake Error #15512

dshokouhi opened this issue Jul 17, 2018 · 10 comments · Fixed by #15546
Assignees
@balloob
Labels
in progress

Comments

@dshokouhi
Copy link
Member

Home Assistant release with the issue:

0.73.2

Last working Home Assistant release (if known):
0.73.1

Operating environment (Hass.io/Docker/Windows/etc.):

virtual environment install, python 3.6.3
Component/platform:

namecheapdns

https://www.home-assistant.io/components/namecheapdns/

Description of problem:

After updating to 0.73.2 from 0.73.1 the namecheapdns component can no longer setup successfully. Nothing else in the configuration has changed.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

namecheapdns:
  host: plex
  domain: !secret namecheap_site
  password: !secret namecheap_pw

Traceback (if applicable):

2018-07-17 10:23:44 ERROR (MainThread) [homeassistant.setup] Error during setup of component namecheapdns
Traceback (most recent call last):
  File "/srv/homeassistant/lib/python3.6/site-packages/aiohttp/connector.py", line 822, in _wrap_create_connection
    return await self._loop.create_connection(*args, **kwargs)
  File "/usr/lib/python3.6/asyncio/base_events.py", line 803, in create_connection
    sock, protocol_factory, ssl, server_hostname)
  File "/usr/lib/python3.6/asyncio/base_events.py", line 829, in _create_connection_transport
    yield from waiter
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 503, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/lib/python3.6/asyncio/sslproto.py", line 201, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:777)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/srv/homeassistant/lib/python3.6/site-packages/homeassistant/setup.py", line 143, in _async_setup_component
    hass, processed_config)
  File "/srv/homeassistant/lib/python3.6/site-packages/homeassistant/components/namecheapdns.py", line 44, in async_setup
    result = yield from _update_namecheapdns(session, host, domain, password)
  File "/srv/homeassistant/lib/python3.6/site-packages/homeassistant/components/namecheapdns.py", line 70, in _update_namecheapdns
    resp = yield from session.get(UPDATE_URL, params=params)
  File "/srv/homeassistant/lib/python3.6/site-packages/aiohttp/client.py", line 366, in _request
    timeout=timeout
  File "/srv/homeassistant/lib/python3.6/site-packages/aiohttp/connector.py", line 445, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "/srv/homeassistant/lib/python3.6/site-packages/aiohttp/connector.py", line 757, in _create_connection
    req, traces, timeout)
  File "/srv/homeassistant/lib/python3.6/site-packages/aiohttp/connector.py", line 879, in _create_direct_connection
    raise last_exc
  File "/srv/homeassistant/lib/python3.6/site-packages/aiohttp/connector.py", line 862, in _create_direct_connection
    req=req, client_error=client_error)
  File "/srv/homeassistant/lib/python3.6/site-packages/aiohttp/connector.py", line 827, in _wrap_create_connection
    raise ClientConnectorSSLError(req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorSSLError: Cannot connect to host dynamicdns.park-your-domain.com:443 ssl:None [[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:777)]

Additional information:
I have not made any changes to my configuration and simply updated and restarted Home Assistant and got this error.
@micbase
Copy link
Contributor
micbase commented Jul 18, 2018

Namecheap's API endpoint(https://dynamicdns.park-your-domain.com/) doesn't support strong cipher suites, which enforced by version 0.73.2. I talked to their customer support, of course the agent didn't have a solution, but forwarded my request to development team. In the mean time, if you want to make it work, you can add ECDHE-RSA-AES256-SHA to https://github.com/home-assistant/home-assistant/blob/master/homeassistant/util/ssl.py#L39, that is the strongest cipher suite Namecheap supported. SHA1 is still considered secure in TLS because of HMAC, but we should avoid it if we can.

@dshokouhi
Copy link
Member Author

thank you for the work around @micbase I wonder if other components are going to be impacted by this like #15522

@micbase
Copy link
Contributor
micbase commented Jul 18, 2018

I think it's very likely, not all websites support strong cipher suites unfortunately.

@balloob
Copy link
Member
balloob commented Jul 18, 2018

I think we might have gone a bit overboard by restricting the cipher suites. Considering only enforcing them server side. At the end of the day, do we not want to communicate or do we only want to communicate over a bad cipher?

@balloob
Copy link
Member
balloob commented Jul 18, 2018

The Mozilla intermediate recommended ciphers includes ECDHE-RSA-AES256-SHA

@balloob balloob mentioned this issue Jul 18, 2018
Merged
2 tasks
@ghost ghost assigned balloob Jul 18, 2018
@ghost ghost added the in progress label Jul 18, 2018
@micbase
Copy link
Contributor
micbase commented Jul 18, 2018

I will recommend we enforce Mozilla's modern standard for server side TLS, but for the client side, modern standard cipher suites seems too tight, we can use default ciphers but drop RC4 and EXPORT, and unauthenticated ones.

@balloob
Copy link
Member
balloob commented Jul 18, 2018
edited
Loading

See my PR #15546, this is the best I could come up with (not my expertise). Suggestions are welcome.

@migromao migromao mentioned this issue Jul 19, 2018
Closed
@ParitoshBh
Copy link

I am trying to setup Hydro-Québec component and end up seeing following in logs,

Error doing job: SSL error errno:1 reason: SSLV3_ALERT_HANDSHAKE_FAILURE

Traceback (most recent call last):
  File "uvloop/sslproto.pyx", line 504, in uvloop.loop.SSLProtocol.data_received
  File "uvloop/sslproto.pyx", line 204, in uvloop.loop._SSLPipe.feed_ssldata
  File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata
  File "/usr/local/lib/python3.6/ssl.py", line 689, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:841)

I am guessing the error is tied to this issue.

@balloob
Copy link
Member
balloob commented Jul 20, 2018

Will be fixed in 0.74

@ParitoshBh
Copy link
ParitoshBh commented Jul 20, 2018
edited
Loading

Thanks for responding! I tried with docker image 0.74.0b4 but getting a similar error.

2018-07-21 01:33:58 ERROR (MainThread) [homeassistant.components.sensor] Error while setting up platform hydroquebec
Traceback (most recent call last):
  File "/usr/src/app/homeassistant/helpers/entity_platform.py", line 129, in _async_setup_platform
    SLOW_SETUP_MAX_WAIT, loop=hass.loop)
  File "/usr/local/lib/python3.6/asyncio/tasks.py", line 358, in wait_for
    return fut.result()
  File "/usr/src/app/homeassistant/components/sensor/hydroquebec.py", line 109, in async_setup_platform
    contracts = yield from hydroquebec_data.get_contract_list()
  File "/usr/src/app/homeassistant/components/sensor/hydroquebec.py", line 180, in get_contract_list
    ret = yield from self._fetch_data()
  File "/usr/src/app/homeassistant/components/sensor/hydroquebec.py", line 190, in _fetch_data
    await self.client.fetch_data()
  File "/usr/local/lib/python3.6/site-packages/pyhydroquebec/client.py", line 372, in fetch_data
    hourly_data = yield from self._get_hourly_data(day_date, p_p_id)
  File "/usr/local/lib/python3.6/site-packages/pyhydroquebec/client.py", line 309, in _get_hourly_data
    json_output = yield from raw_res.json(content_type='text/json')
  File "/usr/local/lib/python3.6/site-packages/aiohttp/client_reqrep.py", line 927, in json
    headers=self.headers)
aiohttp.client_exceptions.ContentTypeError: 0, message='Attempt to decode JSON with unexpected mimetype: text/html; charset=utf-8'

@home-assistant home-assistant locked and limited conversation to collaborators Oct 26, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@balloob balloob

Labels
in progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow less modern ciphers for outgoing connections home-assistant/core
4 participants
@micbase @balloob @dshokouhi @ParitoshBh
0