Python's ftplib has SSL/TLS errors in ubuntu 20.04

Asked by Evan Stone on 2020-07-27

I use a Python script to securely connect to a particular SFTP server (bos-sr-1-34.akliz.net — I don't mind sharing) and it has always JUST WORKED until I got to Ubuntu 20.04. I have tried this on 16.04, 18.04, 19.10 (I think), 20.04, Raspbian, macOS Mojave and Windows 10. I've used Python 3.5, 3.6 and 3.8. It works fine for everything in that list except 20.04. Here's the code in question:

import ftplib
ftps = ftplib.FTP_TLS(host='bos-sr-1-34.akliz.net')
ftps.login(user='xxxxxxxxxxxx', passwd='xxxxxxxxxxx')

On 20.04, the specific error I get is:
[SSL: UNSUPPORTED_PROTOCOL] unsupported protocol (_ssl.c:1108)

Clearly, it's not purely a Python issue because this code works on every system I listed except 20.04. It seems to be an OpenSSL or certificate issue. Strangely, though, everything else that requires SSL seems to work fine in 20.04. All my apt-get updates/installations/upgrades are fine. I can run tests with openssl just fine and I can use the Python "requests" library to securely fetch webpages without issue.

I have tried installing the Python certifi library and that didn't help. I have tried running "update-ca-certificates --fresh" and that didn't help. I have tried changing the ssl_version of the connection instance to about ten different flavors of ssl.PROTOCOL_TLS, because 20.04 was indeed defaulting to something different than the other systems. This didn't help either. I also tried adding lines to /etc/ssl/openssl.cnf to force OpenSSL to use a lower version of TLS. Didn't help. I'm at a loss. I spent about seven hours on this. I joined this forum today BECAUSE of this.

If there's a workaround out there, I'd like to know it of course, but the real issue is that this should JUST WORK because IT ALREADY WORKS on every other Ubuntu system, plus Mac and Windows. Let me know! And thank all of you for your time, seriously. This developer community is amazing. :-)

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu Edit question
Assignee:
No assignee Edit question
Solved by:
Kai Kasurinen
Solved:
2020-07-27
Last query:
2020-07-27
Last reply:
2020-07-27

Have you contacted the guys who manage the system you are connecting to? Sounds like they've made a change to their side or an update has caused the issue on your system. It's a good first step. They may be able to advise

Kai Kasurinen (kai-kasurinen) said : #3

> ./sslscan --starttls-ftp bos-sr-1-34.akliz.net:21
Version: 2.0.0-static
OpenSSL 1.1.1h-dev xx XXX xxxx

Connected to 64.74.111.34

Testing SSL server bos-sr-1-34.akliz.net on port 21 using SNI name bos-sr-1-34.akliz.net

  SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 enabled
TLSv1.1 disabled
TLSv1.2 disabled
TLSv1.3 disabled

  TLS Fallback SCSV:
Server does not support TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLSv1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 1024 bits
Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve P-256 DHE 256
Accepted TLSv1.0 128 bits AES128-SHA
Accepted TLSv1.0 112 bits DES-CBC3-SHA

  Server Signature Algorithm(s):
TLSv1.0 Server accepts all signature algorithms.

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength: 2048

Subject: bos-sr-1-34.akliz.net
Altnames: DNS:bos-sr-1-34.akliz.net
Issuer: Let's Encrypt Authority X3

Not valid before: Jul 17 23:00:21 2020 GMT
Not valid after: Oct 15 23:00:21 2020 GMT

Kai Kasurinen (kai-kasurinen) said : #4

>>> ssl_context = ssl.create_default_context()
>>> ssl_context.minimum_version = ssl.TLSVersion.TLSv1
>>> ssl_context.set_ciphers("EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:@SECLEVEL=1")
>>> ftplib.FTP_TLS(host='bos-sr-1-34.akliz.net', context=ssl_context).login(user='xxxxxxxxxxxx', passwd='xxxxxxxxxxx')
ftplib.error_perm: 530 Login incorrect.

Best Kai Kasurinen (kai-kasurinen) said : #5

>>> import ssl
>>> import ftplib
>>> ssl_context = ssl.create_default_context()
>>> ssl_context.set_ciphers("DEFAULT@SECLEVEL=1")
>>> ftplib.FTP_TLS(host='bos-sr-1-34.akliz.net', context=ssl_context).login(user='xxxxxxxxxxxx', passwd='xxxxxxxxxxx')
ftplib.error_perm: 530 Login incorrect.

Ahh it's using TLS 1.0 only which is not considered secure. The server side is garbage and your modern client expects something better. It's not there so I'm guessing it's why you are not getting the connection

Evan Stone (efstone) said : #7

Yes, I came to that conclusion as well. That’s why I made so many attempts to force my client to connect using the TLSv1.0 protocol but nothing worked. Why did none of the overrides work? If you can make a connection from 20.04, PLEASE tell me how!

-evan

> On Jul 27, 2020, at 5:55 AM, actionparsnip <email address hidden> wrote:
>
> Your question #692078 on Ubuntu changed:
> https://answers.launchpad.net/ubuntu/+question/692078
>
> actionparsnip proposed the following answer:
> Ahh it's using TLS 1.0 only which is not considered secure. The server
> side is garbage and your modern client expects something better. It's
> not there so I'm guessing it's why you are not getting the connection
>
> --
> If this answers your question, please go to the following page to let us
> know that it is solved:
> https://answers.launchpad.net/ubuntu/+question/692078/+confirm?answer_id=5
>
> If you still need help, you can reply to this email or go to the
> following page to enter your feedback:
> https://answers.launchpad.net/ubuntu/+question/692078
>
> You received this question notification because you asked the question.

Evan Stone (efstone) said : #8

Thanks Kai Kasurinen, that solved my question.

Evan Stone (efstone) said : #9

Kai, thank you so much! I was lowering my TLS version, but not also lowering the SECLEVEL. Amazing!

I suggest you tell the managers of the server side to update their security to something that isn't garbage