Author Topic: [SOLVED] IDS Rule Download Error SSL routines (Read 9631 times)

emfabox · « **on:** January 31, 2018, 03:49:48 pm »

Hi there,

I am not able to download new rulesets ... tried it over command line and got the error below:

/usr/local/opnsense/scripts/suricata # /usr/local/opnsense/scripts/suricata/rule-updater.py
From cffi callback <function _verify_callback at 0x4b73add1230>:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
Traceback (most recent call last):
File "/usr/local/opnsense/scripts/suricata/rule-updater.py", line 90, in <module>
filename=rule['filename'], input_filter=input_filter, auth=auth)
File "/usr/local/opnsense/scripts/suricata/lib/downloader.py", line 129, in download
req = requests.get(**req_opts)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='rules.emergingthreats.net', port=443): Max retries exceeded with url: /open/suricata-1.3-enhanced/emerging.rules.tar.gz (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

Any Idea ...

Thx

franco · « **Reply #1 on:** January 31, 2018, 03:54:39 pm »

There is an issue with a Python cryptography/openssl library update. Working on a permanent fix in 18.1.1 for Friday.

Depending on your architecture / crypto combination, we can offer a temporary fix... So please name your combination, e.g. amd64/LibreSSL.

Cheers,
Franco

emfabox · « **Reply #2 on:** January 31, 2018, 03:59:10 pm »

OK ..

Thank you

franco · « **Reply #3 on:** January 31, 2018, 04:12:55 pm »

Not sure if Friday is ok for you... can't help with the temporary solution without the architecture/crypto flavour.

(Just double-checking.)

Cheers,
Franco

privateer · « **Reply #4 on:** January 31, 2018, 07:27:12 pm »

same here (i'm new so... Hello!)

/usr/local/opnsense/scripts/suricata # ./rule-updater.py
From cffi callback <function _verify_callback at 0x584b18a6230>:
Traceback (most recent call last):
File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 313, in wrapper
_lib.X509_up_ref(x509)
AttributeError: 'module' object has no attribute 'X509_up_ref'
Traceback (most recent call last):
File "./rule-updater.py", line 90, in <module>
filename=rule['filename'], input_filter=input_filter, auth=auth)
File "/usr/local/opnsense/scripts/suricata/lib/downloader.py", line 129, in download
req = requests.get(**req_opts)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 502, in request
resp = self.send(prep, **send_kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/sessions.py", line 612, in send
r = adapter.send(request, **kwargs)
File "/usr/local/lib/python2.7/site-packages/requests/adapters.py", line 504, in send
raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='rules.emergingthreats.net', port=443): Max retries exceeded with url: /open/suricata-1.3-enhanced/emerging.rules.tar.gz (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)",),))

My combo should be AMD64/OPENSSL

Andrea

franco · « **Reply #5 on:** January 31, 2018, 08:07:30 pm »

H Andrea,

Temporary fix for amd64/OpenSSL here:

https://forum.opnsense.org/index.php?topic=7067.msg31513#msg31513

Will be solved with a new Python Cryptography package in 18.1.1 on Friday.

Cheers,
Franco

privateer · « **Reply #6 on:** January 31, 2018, 09:31:52 pm »

Thanks Franco, I'll give it a try tomorrow morning, having beer right now.

Cheers!

franco · « **Reply #7 on:** January 31, 2018, 10:32:31 pm »

Indeed, cheers!

directnupe · « **Reply #8 on:** February 01, 2018, 02:29:02 am »

Dear franco,
Thanks for fixing this glitch in this otherwise outstanding distribution. I would like to know when we will be able to get IPS rules downloaded on Friday February 2, 2018. I am here in New York City - so will it be in the AM or later in the day? Also, will it be required to download an updated iso file?
My architecture is LibreSSl 64amd - so hopefully - we will all be up and running soon. You guys do a marvelous job at innovation, updates and responding to all and any aspects in the development and maintenance of this exquisite firmware.

Thanks a ton -

directnupe

franco · « **Reply #9 on:** February 01, 2018, 09:07:30 am »

Hi directnupe,

The temporary fix for amd64/LibreSSL is here...

https://forum.opnsense.org/index.php?topic=7067.msg31527#msg31527

This is actually the same thing that's going to be shipped in 18.1.1 tomorrow and confirmed working, so no need to wait.

Cheers,
Franco

privateer · « **Reply #10 on:** February 01, 2018, 02:23:18 pm »

Quote from: franco on January 31, 2018, 08:07:30 pm

H Andrea,

Temporary fix for amd64/OpenSSL here:

https://forum.opnsense.org/index.php?topic=7067.msg31513#msg31513

Will be solved with a new Python Cryptography package in 18.1.1 on Friday.

Cheers,
Franco

it worked, thanks a lot!

Andrea

directnupe · « **Reply #11 on:** February 01, 2018, 11:19:28 pm »

Dear Franco-
Thanks - now able to download IPS rules as per your instructions. Again - thanks for your work on Opnsense.

God Bless You and Yours -

Always In Peace

directnupe

Author Topic: [SOLVED] IDS Rule Download Error SSL routines (Read 9631 times)

emfabox

[SOLVED] IDS Rule Download Error SSL routines

franco

Re: IDS Rule Download Error SSL routines

emfabox

Re: IDS Rule Download Error SSL routines

franco

Re: IDS Rule Download Error SSL routines

privateer

Re: IDS Rule Download Error SSL routines

franco

Re: IDS Rule Download Error SSL routines

privateer

Re: IDS Rule Download Error SSL routines

franco

Re: IDS Rule Download Error SSL routines

directnupe

Re: IDS Rule Download Error SSL routines

franco

Re: IDS Rule Download Error SSL routines

privateer

Re: IDS Rule Download Error SSL routines

directnupe

Re: [SOLVED] IDS Rule Download Error SSL routines