Open Microscopy Environment

[carandraug]

Hi
For clarification,
the ADH ciphers will be in the list of ciphers but if you execute for example

Code: Select all

openssl s_client -cipher "$cipher" -connect localhost:4064


where $cipher is any ADH cipher. An error will be returned indicating "no ciphers available".
This is obviously not the case in previous versions.
We will have to find what is the correct value to specify.

Cheers
Jmarie

I looked into this again and seems that 'openssl ciphers' shows all
available ciphers ignoring configured security level. For that, one
needs the '-s' option which then indeed shows an empty set:

Code: Select all

$ openssl ciphers 'ADH'
ADH-AES256-GCM-SHA384:ADH-AES128-GCM-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ADH-AES128-SHA:ADH-SEED-SHA:ADH-CAMELLIA128-SHA
$ openssl ciphers -s 'ADH'

$


That pointed out the issue. OpenSSL has this security level thing
which defaults to 1. There are 6 levels, from 0 to 5, ranging from
everything is permitted (level0), to 256 bits of security (level 5).
ADH ciphers are considered insecure and so are in security level 0.
The documentation recognises that a security level to 0 would provide
compatibility with previous versions of OpenSSL. See:

https://mta.openssl.org/pipermail/opens ... 03959.html
https://www.openssl.org/docs/man1.1.0/s ... level.html

By adding '@SECLEVEL=0' to the cipher list it works again (cost of
lowering security level). So now, this works:

Code: Select all

$ openssl s_client -cipher 'ADH' -connect omero1.bioch.ox.ac.uk:4064
CONNECTED(00000003)
140461783069952:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available:../ssl/statem/statem_clnt.c:800:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1497522688
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
$ openssl s_client -cipher 'ADH;@SECLEVEL=0' -connect omero1.bioch.ox.ac.uk:4064
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 573 bytes and written 320 bytes
Verification: OK
---
New, SSLv3, Cipher is ADH-AES256-SHA
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ADH-AES256-SHA
    Session-ID: 2F92930B2CA1BDFA6CBE09E5127BCB2C0A751B2A9C71F3F73C4A488E17411282
    Session-ID-ctx:
    Master-Key: D510ECF2585C5E1C6BCEE658D0924A2AB02A34D3222F8777418F5431C15FA5D04A77DED87B2084A503B280BAB963EF60
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 3a 6e 0b 34 25 34 b3 b0-67 01 6d b9 a2 9e 3c d1   :n.4%4..g.m...<.
    0010 - e9 2f 39 05 ff 40 58 c3-34 c9 74 d7 12 96 24 35   ./9..@X.4.t...$5
    0020 - 3b 37 c8 b6 2c fb 75 2c-fe 6b 59 1f 0b af 95 ae   ;7..,.u,.kY.....
    0030 - 61 f2 ae c5 87 30 2f 3b-25 eb 5f 8d 54 2a 9b 9e   a....0/;%._.T*..
    0040 - 8a 8e 7b b5 d5 2d 9e 65-5b 83 ab f9 26 0d 11 64   ..{..-.e[...&..d
    0050 - e5 87 16 14 81 3f da 8e-88 38 4c 41 8b cd a1 29   .....?...8LA...)
    0060 - 9a 3c e2 a2 5e 6b 9f 4c-9f 0a e8 fb ad 7e f3 54   .<..^k.L.....~.T
    0070 - 22 12 bc 12 5c fb 16 7d-0c 55 f5 fe 37 db 1f b8   "...\..}.U..7...
    0080 - c5 b7 3e bc c9 90 5a 4f-79 47 0d e2 68 4e 49 9d   ..>...ZOyG..hNI.
    0090 - e3 aa cc e0 05 87 ec 4b-13 d8 08 3a 24 fc a9 89   .......K...:$...

    Start Time: 1497522697
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
IceP


[jburel]

Hi
Thanks for the update that's great.
So that will allow to "unlock" the situation for now but I reckon we will need to revisit the approach

Cheers

Jmarie

[jburel]

Hello

Quick update
I have opened a PR https://github.com/openmicroscopy/openm ... /pull/5332 with some adjustments.
I have deployed the modified server on debian9 and I could connect from both the desktop client (Java)
and the CLI (python). I need to check the Cpp client.
Tomorrow we will do further tests to see if the changes does not affect anything.

Thanks to carandraug for pointing out the SECLEVEL flag.

Cheers

Jmarie

[jacques2020]

Thank you very much carandraug and Jean-Marie for these progress.
I tried to reproduce the test using s_client and openssl but failed with an other issue. I tried to find some clue but found no fix. I tried to add -servername without any luck.

Code: Select all

openssl s_client -cipher 'ADH;@SECLEVEL=0' -connect localhost:4064
CONNECTED(00000003)
140704921666816:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1399:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 122 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1497544901
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Thank you

cheers

Jacques

[jburel]

Hi Jacques
I have not been able to replicate your issue. Did you manage to find a solution?
On the OMERO front, the changes in https://github.com/openmicroscopy/openm ... /pull/5332 cannot be included as such since they will break some existing installations using older version of open SSL
We will add a section on our documentation page to indicate the required adjustments when using newer versions of OpenSSL

Cheers
Jmarie

[jacques2020]

Dear Jean-Marie,

I will try to address the different forks:

1) About the cleanse, I made a new post with an indication of the issue (it is on the backup server).

2) About the openssl "alert number 40" I must say that I am a bit confused because I tried on the backup server and got a similar error. Googling was not very helpful as this error seems caused by many issue and I am unsure of what omero is expecting. I have the feeling that I miss something there. In particular about certificates. Does omero provide certificate when connecting. Is the server expecting some. It seems that it could cause such an error. Here is the output on Debian Jessie

Code: Select all

openssl s_client -connect cedre-9b.med.univ-rennes1.fr:4064
CONNECTED(00000003)
139990671865488:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1497881322
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
openssl version
OpenSSL 1.0.1t  3 May 2016
uname -a
Linux cedre-9b 3.16.0-4-amd64 #1 SMP Debian 3.16.43-2 (2017-04-30) x86_64 GNU/Linux
cat /etc/debian_version
8.8

3) About the core problem of connecting in Debian 9. I stopped the server, edited the template.xml and client.py as in the PR and restarted it. I am unsure is it enough or whether I would need a proper recompiling or regenerate the configuration files (the ones in etc/grid from scratch as installing a new server). The problem has then evolved and joined the one of 2). I thus imagine that it solved the first issue but that a second one is there and is the one of (2). What also puzzled me is why client connect well to the 5.2.7 omero while the openssl client assay result in the #40 ssl error.

Code: Select all

/usr/local/OMERO/OMERO.server-Current# sudo -u cedre-agent /usr/local/OMERO/OMERO.server-Current/bin/omero search "Image" "zyg-9"
Previously logged in to localhost:4064 as root
Server: [localhost:4064]
Username: [root]
Password:
InternalException: Failed to connect: exception ::Ice::ProtocolException
{
    reason = SSL error occurred for new outgoing connection:
remote address = 127.0.0.1:4064
sslv3 alert handshake failure: SSL alert number 40
}

So overall, that's not yet the solution of the issue(s) but kind of a little move forward.
Thanks in all case for your time and help !

Cheers

Jacques

[jacques2020]

Hello,

adding to the point #3 of my post of yesterday. I also seek for a way to have a verbose log on server side (for ssl). I tried to set

Code: Select all

omero config set IceGrid.Node.Trace.Server 1
omero config set IceSSL.Trace.Security 1

but was not very successful. Any suggestion is very welcome.
Thank you

Cheers
Jacques

[mtbc]

Dear Jacques,

You can adjust your server's etc/logback.xml file -- if before the last </configuration> line you add,

Code: Select all

<logger name="ome.security.auth" level="DEBUG"/>
<logger name="ome.logic.LdapImpl" level="DEBUG"/>


then within a minute or so your running server should pick up that change and for subsequent logins you should see correspondingly more in var/log/Blitz-0.log. If not, let us know and I'll dig more into how to get that. If you see something especially interesting from that extra logging then of course feel free to zip it up and share it via http://qa.openmicroscopy.org.uk/qa/upload/ but maybe the connection doesn't even get as far as those auth classes.

Cheers,
Mark

[jacques2020]

Dear Mark and Jean-Marie,

I tried to add the two lines that Mark recommended at the end just before the closing markup and try to connect using omero search command or openssl s_client but nothing appeared in the Bliz-0.log. Did I miss something ?

Thank you

Cheers

Jacques

[jburel]

Dear Jacques

I wrote a little Java example using Ice.InitializationData to test the connection. Hopefully that will help us figuring out what the issue is. I run it directly from the insight code base since I have the dependencies in the classpath. You might have to adjust it to your need, also you will need to update the server name and credentials

Code: Select all

package org.openmicroscopy.shoola;

import omero.client;
import omero.api.IAdminPrx;
import omero.api.ServiceFactoryPrx;
import omero.model.Experimenter;


public class IceClient {

    IceClient() {}

    void connect()
    {
        client c = null;
        String server = "to_replace";
        String username = "to_replace";
        String password = "to_replace";
        String sessionID = "";
        try {
            Ice.InitializationData id = new Ice.InitializationData();
            id.properties = Ice.Util.createProperties(new String[] {});
            id.properties.setProperty("IceSSL.Ciphers", "ALL");
            id.properties.setProperty("IceSSL.VerifyPeer", "0"); //1 require certificate
            id.properties.setProperty("Ice.Plugin.IceSSL", "IceSSL.PluginFactory");
            id.properties.setProperty("Ice.Default.EndpointSelection", "Ordered");
            id.properties.setProperty("Ice.Default.PreferSecure", "1");
            id.properties.setProperty("Ice.Trace.Network", "3");
            id.properties.setProperty("Ice.Trace.Protocol", "1");
            id.properties.setProperty("Ice.Trace.Retry", "2");
            id.properties.setProperty("IceSSL.Trace.Security","1");
            id.properties.setProperty("Ice.Warn.Connections","1");
            id.properties.setProperty("Ice.Default.EncodingVersion", "1.0");
            id.properties.setProperty("omero.host", server);
            c = new client(server);
            c = new client(id);
            c.createSession(username, password);
            ServiceFactoryPrx entryEncrypted = c.getSession();
            IAdminPrx prx = entryEncrypted.getAdminService();
            String userName = prx.getEventContext().userName;
            sessionID = prx.getEventContext().sessionUuid;
            System.err.println(sessionID);
            Experimenter exp = prx.lookupExperimenter(userName);
            System.err.println(exp);
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            if (c != null) c.__del__();
        }
    }
   
    public static void main(String[] args) {
        IceClient ic = new IceClient();
        ic.connect();
    }

}


Cheers

Jmarie