Ubuntu

Python's ftplib has SSL/TLS errors in ubuntu 20.04

Asked by Evan Stone

I use a Python script to securely connect to a particular SFTP server (bos-sr-1-34.akliz.net — I don't mind sharing) and it has always JUST WORKED until I got to Ubuntu 20.04. I have tried this on 16.04, 18.04, 19.10 (I think), 20.04, Raspbian, macOS Mojave and Windows 10. I've used Python 3.5, 3.6 and 3.8. It works fine for everything in that list except 20.04. Here's the code in question:

import ftplib
ftps = ftplib.FTP_TLS(host='bos-sr-1-34.akliz.net')
ftps.login(user='xxxxxxxxxxxx', passwd='xxxxxxxxxxx')

On 20.04, the specific error I get is:
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)

Clearly, it's not purely a Python issue because this code works on every system I listed except 20.04. It seems to be an OpenSSL or certificate issue. Strangely, though, everything else that requires SSL seems to work fine in 20.04. All my apt-get updates/installations/upgrades are fine. I can run tests with openssl just fine and I can use the Python "requests" library to securely fetch webpages without issue.

I have tried installing the Python certifi library and that didn't help. I have tried running "update-ca-certificates --fresh" and that didn't help. I have tried changing the ssl_version of the connection instance to about ten different flavors of ssl.PROTOCOL_TLS, because 20.04 was indeed defaulting to something different than the other systems. This didn't help either. I also tried adding lines to /etc/ssl/openssl.cnf to force OpenSSL to use a lower version of TLS. Didn't help. I'm at a loss. I spent about seven hours on this. I joined this forum today BECAUSE of this.

If there's a workaround out there, I'd like to know it of course, but the real issue is that this should JUST WORK because IT ALREADY WORKS on every other Ubuntu system, plus Mac and Windows. Let me know! And thank all of you for your time, seriously. This developer community is amazing. :-)

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Kai Kasurinen
Solved:
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

Have you contacted the guys who manage the system you are connecting to? Sounds like they've made a change to their side or an update has caused the issue on your system. It's a good first step. They may be able to advise

Revision history for this message
Kai Kasurinen (kai-kasurinen) said : 		#2

https://discourse.ubuntu.com/t/default-to-tls-v1-2-in-all-tls-libraries-in-20-04-lts/12464

Revision history for this message
Kai Kasurinen (kai-kasurinen) said : 		#3

> ./sslscan --starttls-ftp bos-sr-1-34.akliz.net:21
Version: 2.0.0-static
OpenSSL 1.1.1h-dev xx XXX xxxx

Connected to 64.74.111.34

Testing SSL server bos-sr-1-34.akliz.net on port 21 using SNI name bos-sr-1-34.akliz.net

  SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled

  TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLSv1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA

  Server Signature Algorithm(s):
TLSv1.0 Server accepts all signature algorithms.

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048

Subject: bos-sr-1-34.akliz.net
Altnames: DNS:bos-sr-1-34.akliz.net
Issuer: Let's Encrypt Authority X3

Not valid before: Jul 17 23:00:21 2020 GMT
Not valid after: Oct 15 23:00:21 2020 GMT

Revision history for this message
Kai Kasurinen (kai-kasurinen) said : 		#4

>>> ssl_context = ssl.create_default_context()
>>> ssl_context.minimum_version = ssl.TLSVersion.TLSv1
>>> ssl_context.set_ciphers("EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:@SECLEVEL=1")
>>> ftplib.FTP_TLS(host='bos-sr-1-34.akliz.net', context=ssl_context).login(user='xxxxxxxxxxxx', passwd='xxxxxxxxxxx')
ftplib.error_perm: 530 Login incorrect.

Revision history for this message
Best Kai Kasurinen (kai-kasurinen) said : 		#5

>>> import ssl
>>> import ftplib
>>> ssl_context = ssl.create_default_context()
>>> ssl_context.set_ciphers("DEFAULT@SECLEVEL=1")
>>> ftplib.FTP_TLS(host='bos-sr-1-34.akliz.net', context=ssl_context).login(user='xxxxxxxxxxxx', passwd='xxxxxxxxxxx')
ftplib.error_perm: 530 Login incorrect.

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#6

Ahh it's using TLS 1.0 only which is not considered secure. The server side is garbage and your modern client expects something better. It's not there so I'm guessing it's why you are not getting the connection

Revision history for this message
Evan Stone (efstone) said : 		#7

Yes, I came to that conclusion as well. That’s why I made so many attempts to force my client to connect using the TLSv1.0 protocol but nothing worked. Why did none of the overrides work? If you can make a connection from 20.04, PLEASE tell me how!

-evan

> On Jul 27, 2020, at 5:55 AM, actionparsnip <email address hidden> wrote:
>
> Your question #692078 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/692078
>
> actionparsnip proposed the following answer:
> Ahh it's using TLS 1.0 only which is not considered secure. The server
> side is garbage and your modern client expects something better. It's
> not there so I'm guessing it's why you are not getting the connection
>
> --
> If this answers your question, please go to the following page to let us
> know that it is solved:
> https://answers.launchpad.net/ubuntu/+question/692078/+confirm?answer_id=5
>
> If you still need help, you can reply to this email or go to the
> following page to enter your feedback:
> https://answers.launchpad.net/ubuntu/+question/692078
>
> You received this question notification because you asked the question.

Revision history for this message
Evan Stone (efstone) said : 		#8

Thanks Kai Kasurinen, that solved my question.

Revision history for this message
Evan Stone (efstone) said : 		#9

Kai, thank you so much! I was lowering my TLS version, but not also lowering the SECLEVEL. Amazing!

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#10

I suggest you tell the managers of the server side to update their security to something that isn't garbage

Revision history for this message
Roderick Nelson (rodericknelson) said (last edit ): 		#11

It a great course. I've been dreaming of learning it for a long time, but unfortunately, I don't have time for it. I need to write my tasks and this source helps me with this https://writinguniverse.com/free-essay-examples/war/ The examples turned out to be a godsend for me. Thanks to this, I found a lot of fresh ideas for my work.