SSL dh key too small error about vertica-python HOT 18 CLOSED

To accomplish the equivalent of TLSmode=require

def ssl_context() -> ssl.SSLContext:
    context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    context.set_ciphers('DEFAULT:!DH')
    return context

VERTICA_CONNECTION_INFO = {
    'host': 'nopet.com',
    'port': 5433,
    'user': hrh_user,
    'password': hrh_password,
    'database': 'HRH',
    'searchPath': hrh_schema,
    'ssl': ssl_context()
}

connect(**VERTICA_CONNECTION_INFO)

from vertica-python.

Without this we have been unable to connect to our database using vertica_python

Have you tried to set 'ssl': True in the connection settings?

from vertica-python.

Without this we have been unable to connect to our database using vertica_python

Have you tried to set 'ssl': True in the connection settings?

Sure did, around 9.2 I believe is when vertica added TLSmode to ODBC, JDBC, and vsql. I have no control over our database and when they moved it to the cloud it started requiring TLSmode=require . Can absolutely not connect without that being set as an option on the client side. The python client seems to be the only client that is missing the feature.

from vertica-python.

If 'ssl': True doesn't work, you may need 'ssl': <ssl.SSLContext object>, which gives you the full control of the ssl socket: https://github.com/vertica/vertica-python#tlsssl

from vertica-python.

If 'ssl': True doesn't work, you may need 'ssl': <ssl.SSLContext object>, which gives you the full control of the ssl socket: https://github.com/vertica/vertica-python#tlsssl

For connections with, JDBC, ODBC, and vsql the only parameter we need to provide outside of the normal user, host, password, ect is TLSmode=require.. Any idea on what to provide on the SSLContext to mimic the same? I've looked at the decompiled JDBC driver at the TLSmode class and it's a little lost on me how to get it plugged into python.

from vertica-python.

Try the following setting for your ssl.SSLContext object:

  context.verify_mode = ssl.CERT_NONE
  context.check_hostname = False

from vertica-python.

Try the following setting for your ssl.SSLContext object:

  context.verify_mode = ssl.CERT_NONE
  context.check_hostname = False

Still a nope.. getting vertica_python.errors.ConnectionError: [SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:1002)

from vertica-python.

It is NOT

conn_info = {
    ...
    'ssl': True,    # this SSL setting take effect
    'ssl_options': {
        'ssl_context': ssl_context
    }
    ...
}

It should be

conn_info = {
    ...
    'ssl': ssl_context,
    ...
}

I notice your error message is "dh key too small". Looks like this is not a problem of setting TLSmode to require or not. It is more of a system problem:
https://stackoverflow.com/questions/64354210/python-dh-key-too-small-which-side-is-faulty
https://stackoverflow.com/questions/61626206/what-could-cause-dh-key-too-small-error
The server is offering a weak DH key, the client wants a stronger key. The problem should usually be fixed at the server side.

from vertica-python.

It is NOT

conn_info = {
    ...
    'ssl': True,    # this SSL setting take effect
    'ssl_options': {
        'ssl_context': ssl_context
    }
    ...
}

It should be

conn_info = {
    ...
    'ssl': ssl_context,
    ...
}

I notice your error message is "dh key too small". Looks like this is not a problem of setting TLSmode to require or not. It is more of a system problem: https://stackoverflow.com/questions/64354210/python-dh-key-too-small-which-side-is-faulty https://stackoverflow.com/questions/61626206/what-could-cause-dh-key-too-small-error The server is offering a weak DH key, the client wants a stronger key. The problem should usually be fixed at the server side.

There is 0 issue connecting to the server with any other driver ODBC, JDBC, vsql, we supply supply TSLmode require.. But I move the context to the ssl as you suggested above and still the same error..

from vertica-python.

Did you install all other drivers ODBC, JDBC, vsql on the same machine as vertica-python?
What's your server version?

from vertica-python.

As I said earlier, 'ssl': True should be equivalent to TLSmode = require. You may need to add custom configuration in ssl_context as those stackoverflow answers suggested.

ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
ssl_context.set_ciphers('DEFAULT:!DH')

from vertica-python.

Did you install all other drivers ODBC, JDBC, vsql on the same machine as vertica-python? What's your server version?

Yes I have used all drivers and even ODBC in python., and would love to find a work around to use vertica_python until the vertica_python driver gets updated to match what was done in all the other client drivers back at version 9.3, which was add a parameter TLSmode, which take 4 options of "disable, require, verify-ca, and verify-full. If you look at the TLSmode class in their java driver you can see what I'm talking about.

from vertica-python.

ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_NONE
ssl_context.set_ciphers('DEFAULT:!DH')

OMG thank you, I owe you a beer! And @vertica-cla if you are watching this... please just add TLSmode to the python driver! and type suggestions are you friend!

from vertica-python.

@sitingren I now see you are a member... do you think you could possibly add some of that functionality under a keyword TLSmode ... so the same connection string that works for ODBC and JDBC would work for python

from vertica-python.

@regalme Can you post a code snippet of what the end solution was?

from vertica-python.

I also did this so I can get type suggestions.. I would have added a union type to Row instead of any but that would have limited to python 3.11+

from typing import List


# Wrapper for results Row
class Row(List[any]):
    pass


# Wrapper for vertica_python.cursor.Cursor
class VerticaCursor:
    def __init__(self, cursor: any) -> None:
        self.cursor = cursor

    def execute(self, query: str) -> None:
        self.cursor.execute(query)

    def close(self) -> None:
        self.cursor.close()

    def fetchall(self) -> List[Row]:
        result = self.cursor.fetchall()
        return result


# Wrapper for vertica_python.connection.Connection
class VerticaConnection:
    def __init__(self, connection: any) -> None:
        self.connection = connection

    def cursor(self) -> VerticaCursor:
        return VerticaCursor(self.connection.cursor())

    def close(self) -> None:
        self.connection.close()

from vertica-python.

@regalme I updated README with TLSmode examples: https://github.com/vertica/vertica-python#tlsssl
Please note that you cannot get rid of "dh key too small error" even if vertica-python provide a TLSmode parameter, as README shows the implementation of 4 options "disable, require, verify-ca, and verify-full". Your problem needs a custom configuration ssl_context.set_ciphers('DEFAULT:!DH').

from vertica-python.

For type suggestions, you are welcome to contribute your own work if that can support Python 3.7+.

from vertica-python.