[SOLVED] IDS Rule Download Error SSL routines

emfabox · January 31, 2018, 03:49:48 PM

Hi there,

I am not able to download new rulesets ... tried it over command line and got the error below:

/usr/local/opnsense/scripts/suricata # /usr/local/opnsense/scripts/suricata/rule-updater.py
From cffi callback <function _verify_callback at 0x4b73add1230>:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
Traceback (most recent call last):
File "/usr/local/opnsense/scripts/suricata/rule-updater.py", line 90, in <module>
filename=rule['filename'], input_filter=input_filter, auth=auth)
File "/usr/local/opnsense/scripts/suricata/lib/downloader.py", line 129, in download
req = requests.get(**req_opts)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='rules.emergingthreats.net', port=443): Max retries exceeded with url: /open/suricata-1.3-enhanced/emerging.rules.tar.gz (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

Any Idea ...

Thx

franco · January 31, 2018, 03:54:39 PM

There is an issue with a Python cryptography/openssl library update. Working on a permanent fix in 18.1.1 for Friday.

Depending on your architecture / crypto combination, we can offer a temporary fix... So please name your combination, e.g. amd64/LibreSSL.

Cheers,
Franco

emfabox · January 31, 2018, 03:59:10 PM

OK ..

Thank you ;)

franco · January 31, 2018, 04:12:55 PM

Not sure if Friday is ok for you... can't help with the temporary solution without the architecture/crypto flavour.

(Just double-checking.)

Cheers,
Franco

privateer · January 31, 2018, 07:27:12 PM

same here (i'm new so... Hello!)

/usr/local/opnsense/scripts/suricata # ./rule-updater.py
From cffi callback <function _verify_callback at 0x584b18a6230>:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
Traceback (most recent call last):
File "./rule-updater.py", line 90, in <module>
filename=rule['filename'], input_filter=input_filter, auth=auth)
File "/usr/local/opnsense/scripts/suricata/lib/downloader.py", line 129, in download
req = requests.get(**req_opts)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='rules.emergingthreats.net', port=443): Max retries exceeded with url: /open/suricata-1.3-enhanced/emerging.rules.tar.gz (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

My combo should be AMD64/OPENSSL

Andrea

franco · January 31, 2018, 08:07:30 PM

H Andrea,

Temporary fix for amd64/OpenSSL here:

https://forum.opnsense.org/index.php?topic=7067.msg31513#msg31513

Will be solved with a new Python Cryptography package in 18.1.1 on Friday.

Cheers,
Franco

privateer · January 31, 2018, 09:31:52 PM

Thanks Franco, I'll give it a try tomorrow morning, having beer right now.

Cheers!

franco · January 31, 2018, 10:32:31 PM

Indeed, cheers!

directnupe · February 01, 2018, 02:29:02 AM

Dear franco,
Thanks for fixing this glitch in this otherwise outstanding distribution. I would like to know when we will be able to get IPS rules downloaded on Friday February 2, 2018. I am here in New York City - so will it be in the AM or later in the day? Also, will it be required to download an updated iso file?
My architecture is LibreSSl 64amd - so hopefully - we will all be up and running soon. You guys do a marvelous job at innovation, updates and responding to all and any aspects in the development and maintenance of this exquisite firmware.

Thanks a ton -

directnupe

franco · February 01, 2018, 09:07:30 AM

Hi directnupe,

The temporary fix for amd64/LibreSSL is here...

https://forum.opnsense.org/index.php?topic=7067.msg31527#msg31527

This is actually the same thing that's going to be shipped in 18.1.1 tomorrow and confirmed working, so no need to wait.

Cheers,
Franco

privateer · February 01, 2018, 02:23:18 PM

Quote from: franco on January 31, 2018, 08:07:30 PM
H Andrea,

Temporary fix for amd64/OpenSSL here:

https://forum.opnsense.org/index.php?topic=7067.msg31513#msg31513

Will be solved with a new Python Cryptography package in 18.1.1 on Friday.

Cheers,
Franco

it worked, thanks a lot!

Andrea

directnupe · February 01, 2018, 11:19:28 PM

Dear Franco-
Thanks - now able to download IPS rules as per your instructions. Again - thanks for your work on Opnsense.

God Bless You and Yours -

Always In Peace

directnupe

[SOLVED] IDS Rule Download Error SSL routines

emfabox

January 31, 2018, 03:49:48 PM Last Edit: February 01, 2018, 03:21:09 PM by franco

franco

January 31, 2018, 03:54:39 PM #1

emfabox

January 31, 2018, 03:59:10 PM #2

franco

January 31, 2018, 04:12:55 PM #3

privateer

January 31, 2018, 07:27:12 PM #4

franco

January 31, 2018, 08:07:30 PM #5

privateer

January 31, 2018, 09:31:52 PM #6

franco

January 31, 2018, 10:32:31 PM #7

directnupe

February 01, 2018, 02:29:02 AM #8 Last Edit: February 01, 2018, 02:31:33 AM by directnupe

franco

February 01, 2018, 09:07:30 AM #9

privateer

February 01, 2018, 02:23:18 PM #10

directnupe

February 01, 2018, 11:19:28 PM #11