Hi there,
I am not able to download new rulesets ... tried it over command line and got the error below:
/usr/local/opnsense/scripts/suricata # /usr/local/opnsense/scripts/suricata/rule-updater.py
From cffi callback <function _verify_callback at 0x4b73add1230>:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
Traceback (most recent call last):
File "/usr/local/opnsense/scripts/suricata/rule-updater.py", line 90, in <module>
filename=rule['filename'], input_filter=input_filter, auth=auth)
File "/usr/local/opnsense/scripts/suricata/lib/downloader.py", line 129, in download
req = requests.get(**req_opts)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='rules.emergingthreats.net', port=443): Max retries exceeded with url: /open/suricata-1.3-enhanced/emerging.rules.tar.gz (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))
Any Idea ...
Thx
There is an issue with a Python cryptography/openssl library update. Working on a permanent fix in 18.1.1 for Friday.
Depending on your architecture / crypto combination, we can offer a temporary fix... So please name your combination, e.g. amd64/LibreSSL.
Cheers,
Franco
OK ..
Thank you ;)
Not sure if Friday is ok for you... can't help with the temporary solution without the architecture/crypto flavour.
(Just double-checking.)
Cheers,
Franco
same here (i'm new so... Hello!)
/usr/local/opnsense/scripts/suricata # ./rule-updater.py
From cffi callback <function _verify_callback at 0x584b18a6230>:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
Traceback (most recent call last):
File "./rule-updater.py", line 90, in <module>
filename=rule['filename'], input_filter=input_filter, auth=auth)
File "/usr/local/opnsense/scripts/suricata/lib/downloader.py", line 129, in download
req = requests.get(**req_opts)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='rules.emergingthreats.net', port=443): Max retries exceeded with url: /open/suricata-1.3-enhanced/emerging.rules.tar.gz (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))
My combo should be AMD64/OPENSSL
Andrea
H Andrea,
Temporary fix for amd64/OpenSSL here:
https://forum.opnsense.org/index.php?topic=7067.msg31513#msg31513
Will be solved with a new Python Cryptography package in 18.1.1 on Friday.
Cheers,
Franco
Thanks Franco, I'll give it a try tomorrow morning, having beer right now.
Cheers!
Indeed, cheers!
Dear franco,
Thanks for fixing this glitch in this otherwise outstanding distribution. I would like to know when we will be able to get IPS rules downloaded on Friday February 2, 2018. I am here in New York City - so will it be in the AM or later in the day? Also, will it be required to download an updated iso file?
My architecture is LibreSSl 64amd - so hopefully - we will all be up and running soon. You guys do a marvelous job at innovation, updates and responding to all and any aspects in the development and maintenance of this exquisite firmware.
Thanks a ton -
directnupe
Hi directnupe,
The temporary fix for amd64/LibreSSL is here...
https://forum.opnsense.org/index.php?topic=7067.msg31527#msg31527
This is actually the same thing that's going to be shipped in 18.1.1 tomorrow and confirmed working, so no need to wait.
Cheers,
Franco
Quote from: franco on January 31, 2018, 08:07:30 PM
H Andrea,
Temporary fix for amd64/OpenSSL here:
https://forum.opnsense.org/index.php?topic=7067.msg31513#msg31513
Will be solved with a new Python Cryptography package in 18.1.1 on Friday.
Cheers,
Franco
it worked, thanks a lot!
Andrea
Dear Franco-
Thanks - now able to download IPS rules as per your instructions. Again - thanks for your work on Opnsense.
God Bless You and Yours -
Always In Peace
directnupe