Page 1 of 2
[RESOLVED] ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 3:34 pm
by teracow
Hi all,
just recently started getting this error when attempting to login via HTTPS to Sab (v0.7.9) via Firefox (v18.0.1)
from the Sab log:
Code: Select all
2013-01-28 05:44:34,810::INFO::[_cplogging:55] [28/Jan/2013:05:44:34] ENGINE Bus STARTING
2013-01-28 05:44:34,886::INFO::[_cplogging:55] [28/Jan/2013:05:44:34] ENGINE Started monitor thread '_TimeoutMonitor'.
2013-01-28 05:44:34,989::INFO::[_cplogging:55] [28/Jan/2013:05:44:34] ENGINE Serving on 0.0.0.0:8800
2013-01-28 05:44:35,097::INFO::[_cplogging:55] [28/Jan/2013:05:44:35] ENGINE Serving on 0.0.0.0:9090
2013-01-28 05:44:35,099::INFO::[_cplogging:55] [28/Jan/2013:05:44:35] ENGINE Bus STARTED
which isn't showing my attempt to access the login page via HTTPS (port 9090).
HTTP (via port 8800) login works fine.
my
server.cert and
server.key files appear to be fine as SickBeard logs in correctly using this same certificate.
After spotting a post about a similar issue, I've checked in FireFox
about:config that:
security.ssl3.rsa_rc2_40_md5 = true
security.ssl3.rsa_rc4_40_md5 = true
This setup WAS working, then suddenly stopped. The only change I had made was to alter the autoProcessTV.cfg file to communicate with SickBeard using SSL (e.g. ssl=1)
Does anyone know what I'm doing wrong?
Thanks.
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 3:59 pm
by sander
I have no idea. Have you tried Chrome?
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 4:20 pm
by teracow
I'm running Kubuntu 12.10 so I installed Chromium...
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 4:24 pm
by shypike
Did you switch from http to https using the same port and the same browser?
Browsers can be very stubborn about such changes.
You should clear the browser's cache and try again.
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 4:42 pm
by teracow
no, I had HTTP working on 8800, then enabled HTTPS on 9090. HTTP access worked for several days and HTTPS access worked for 2 days.
Then yesterday, the HTTPS access stopped working. It doesn't work on any machine on my LAN or from my tablet or phone.
The Chromium install I did this morning started with an empty cache. The only page I tried to access with it was Sab via HTTPS. It failed with the provided error. So, it's unlikely to be a browser-cache issue.
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 4:47 pm
by sander
Is the problem on the browser's side, or on the server (SAB) side?
Maybe you can run sslscan against SABnzbd?
Code: Select all
sander@R540:~$ sslscan --no-failed localhost:9090
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server localhost on port 9090
Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 256 bits CAMELLIA256-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits SEED-SHA
Accepted SSLv3 128 bits CAMELLIA128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 256 bits CAMELLIA256-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits SEED-SHA
Accepted TLSv1 128 bits CAMELLIA128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 56 bits DES-CBC-SHA
Prefered Server Cipher(s):
SSLv3 256 bits AES256-SHA
TLSv1 256 bits AES256-SHA
SSL Certificate:
Version: 0
Serial Number: 1306651651
Signature Algorithm: md5WithRSAEncryption
Issuer: /CN=Certificate Authority
Not valid before: May 29 06:47:31 2011 GMT
Not valid after: May 26 06:47:31 2021 GMT
Subject: /CN=SABnzbd
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Public-Key: (1024 bit)
Modulus:
00:a1:76:75:7b:59:4a:ab:e7:4a:b4:dd:4d:85:0a:
ed:30:b4:92:2b:69:2c:17:3f:ea:02:f9:70:3e:f0:
47:c1:a9:25:36:39:47:e5:00:89:ee:a8:f5:ce:33:
e7:d0:5b:b1:92:ca:5f:8f:d1:11:d2:3d:df:a3:65:
38:9a:31:71:ec:fc:03:16:7f:e5:c9:ba:89:3f:dd:
7e:d7:81:e8:0a:32:3b:2e:71:ff:1f:e4:fa:6b:e4:
d1:21:aa:c0:39:d7:13:d8:c2:c2:1e:4b:61:db:79:
92:63:14:4d:74:14:21:85:27:4b:f6:8a:ba:9c:2b:
d3:d3:b0:54:30:31:51:dd:b9
Exponent: 65537 (0x10001)
Verify Certificate:
unable to get local issuer certificate
sander@R540:~$
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 4:49 pm
by sander
PS: do you use your own server.cert and server.key ? If so, what happens if you don't use them (so go back to a more default SAB)?
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 4:57 pm
by teracow
okiedokie... here's the output when testing the HTTPS port on Sab:
Code: Select all
$ sslscan --no-failed talia.:9090
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server talia. on port 9090
Supported Server Cipher(s):
Prefered Server Cipher(s):
and for comparison with SickBeard:
Code: Select all
$ sslscan --no-failed talia.:7071
_
___ ___| |___ ___ __ _ _ __
/ __/ __| / __|/ __/ _` | '_ \
\__ \__ \ \__ \ (_| (_| | | | |
|___/___/_|___/\___\__,_|_| |_|
Version 1.8.2
http://www.titania.co.uk
Copyright Ian Ventura-Whiting 2009
Testing SSL server talia. on port 7071
Supported Server Cipher(s):
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 128 bits RC4-SHA
Accepted SSLv3 128 bits RC4-MD5
Accepted SSLv3 56 bits DES-CBC-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 128 bits RC4-SHA
Accepted TLSv1 128 bits RC4-MD5
Accepted TLSv1 56 bits DES-CBC-SHA
Prefered Server Cipher(s):
SSLv3 256 bits AES256-SHA
TLSv1 256 bits AES256-SHA
SSL Certificate:
Version: 0
Serial Number: 1359180701
Signature Algorithm: md5WithRSAEncryption
Issuer: /CN=Certificate Authority
Not valid before: Jan 26 06:11:42 2013 GMT
Not valid after: Jan 24 06:11:42 2023 GMT
Subject: /CN=SickBeard
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Public-Key: (1024 bit)
Modulus:
00:d1:af:b9:7f:6f:1d:e8:33:a8:49:9b:e6:59:52:
6e:8c:96:5d:87:db:0f:78:d2:9a:73:b1:55:35:f5:
70:97:35:67:af:d8:f7:a7:95:05:11:6c:52:cd:91:
91:4e:ad:eb:95:06:99:d4:d0:73:b3:c9:38:2f:9c:
ef:8c:49:ab:b8:4a:f8:ed:e6:c6:70:b3:71:74:56:
0e:da:9e:ef:c0:ce:9a:93:f0:e4:8d:a3:7a:0b:ab:
31:bc:0c:ec:b5:f5:66:77:55:1b:72:9e:12:bd:43:
76:ef:22:10:e3:47:ef:06:73:a8:22:6b:81:ba:07:
e0:7a:c8:01:64:6a:f5:bb:2b
Exponent: 65537 (0x10001)
Verify Certificate:
unable to get local issuer certificate
I'm just using the default cert with Sab. I haven't yet generated my own.
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 5:04 pm
by sander
So ... what is your own conclusion from the first sslscan?
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 5:05 pm
by teracow
no cipher(s) available?
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 5:24 pm
by sander
teracow wrote:no cipher(s) available?
That would be my guess too.
So the problem is on the side of SAB? In the program files, in the sabnzbd.ini, in a library, or something else?
I would do this: move sabnzbd.ini, get a fresh SAB tar.gz, unpack it in some directory, run it (should start the wizard), and then check if HTTPS works correctly.
Re: ssl_error_no_cypher_overlap
Posted: January 27th, 2013, 6:46 pm
by teracow
okiedokie... at this point I should probably mention that this Sab is running on a QNAP NAS (installed via qpkg).
I downloaded the current Sab python scripts, unpacked them then moved them to the NAS.
I stopped the current Sab service. Then started the new install:
Code: Select all
# python2.6 SABnzbd.py
2013-01-28 09:09:49,973::INFO::[SABnzbd:1256] --------------------------------
2013-01-28 09:09:49,974::INFO::[SABnzbd:1257] SABnzbd.py-0.7.9 (rev=c237ddfef464649ec3713d43c441def6c8656f46)
2013-01-28 09:09:49,974::INFO::[SABnzbd:1269] Platform = posix
2013-01-28 09:09:49,975::INFO::[SABnzbd:1270] Python-version = 2.6.8 (unknown, Apr 12 2012, 20:17:18)
[GCC 4.2.1]
2013-01-28 09:09:49,976::INFO::[SABnzbd:1271] Arguments = SABnzbd.py
2013-01-28 09:09:49,977::INFO::[SABnzbd:1284] Read INI file /root/.sabnzbd/sabnzbd.ini
2013-01-28 09:09:49,978::INFO::[misc:362] download_dir directory: /root/Downloads/incomplete does not exist, try to create it
2013-01-28 09:09:49,981::INFO::[__init__:928] Loading data for bookmarks.sab from /root/.sabnzbd/admin/bookmarks.sab
2013-01-28 09:09:49,982::INFO::[__init__:931] /root/.sabnzbd/admin/bookmarks.sab missing, trying old cache
2013-01-28 09:09:49,983::INFO::[__init__:934] /root/.sabnzbd/cache/bookmarks.sab missing
2013-01-28 09:09:49,984::INFO::[__init__:928] Loading data for rss_data.sab from /root/.sabnzbd/admin/rss_data.sab
2013-01-28 09:09:49,984::INFO::[__init__:931] /root/.sabnzbd/admin/rss_data.sab missing, trying old cache
2013-01-28 09:09:49,985::INFO::[__init__:934] /root/.sabnzbd/cache/rss_data.sab missing
2013-01-28 09:09:49,986::INFO::[__init__:928] Loading data for totals9.sab from /root/.sabnzbd/admin/totals9.sab
2013-01-28 09:09:49,987::INFO::[__init__:931] /root/.sabnzbd/admin/totals9.sab missing, trying old cache
2013-01-28 09:09:49,988::INFO::[__init__:934] /root/.sabnzbd/cache/totals9.sab missing
2013-01-28 09:09:49,992::INFO::[postproc:90] Loading postproc queue
2013-01-28 09:09:49,993::INFO::[__init__:928] Loading data for postproc1.sab from /root/.sabnzbd/admin/postproc1.sab
2013-01-28 09:09:49,994::INFO::[__init__:931] /root/.sabnzbd/admin/postproc1.sab missing, trying old cache
2013-01-28 09:09:49,995::INFO::[__init__:934] /root/.sabnzbd/cache/postproc1.sab missing
2013-01-28 09:09:49,996::INFO::[__init__:928] Loading data for queue9.sab from /root/.sabnzbd/admin/queue9.sab
2013-01-28 09:09:49,997::INFO::[__init__:931] /root/.sabnzbd/admin/queue9.sab missing, trying old cache
2013-01-28 09:09:49,998::INFO::[__init__:934] /root/.sabnzbd/cache/queue9.sab missing
2013-01-28 09:09:50,000::INFO::[__init__:928] Loading data for watched_data.sab from /root/.sabnzbd/admin/watched_data.sab
2013-01-28 09:09:50,000::INFO::[__init__:931] /root/.sabnzbd/admin/watched_data.sab missing, trying old cache
2013-01-28 09:09:50,001::INFO::[__init__:934] /root/.sabnzbd/cache/watched_data.sab missing
2013-01-28 09:09:50,004::INFO::[downloader:209] Resuming
2013-01-28 09:09:50,025::INFO::[__init__:330] All processes started
2013-01-28 09:09:50,026::INFO::[SABnzbd:334] Web dir is /share/MD0_DATA/Public/SABnzbd-0.7.9/interfaces/Plush
2013-01-28 09:09:50,027::INFO::[SABnzbd:334] Web dir is /share/MD0_DATA/Public/SABnzbd-0.7.9/interfaces/Config
2013-01-28 09:09:50,047::INFO::[SABnzbd:463] _yenc module... found!
2013-01-28 09:09:50,048::INFO::[SABnzbd:471] par2 binary... found (/opt/bin/par2)
2013-01-28 09:09:50,049::INFO::[SABnzbd:479] unrar binary... found (/usr/local/sbin/unrar)
2013-01-28 09:09:50,049::INFO::[SABnzbd:484] unzip binary... found (/usr/bin/unzip)
2013-01-28 09:09:50,050::INFO::[SABnzbd:492] nice binary... NOT found!
2013-01-28 09:09:50,051::INFO::[SABnzbd:494] ionice binary... found (/usr/bin/ionice)
2013-01-28 09:09:50,051::INFO::[SABnzbd:499] pyOpenSSL... found (True)
2013-01-28 09:09:50,054::INFO::[SABnzbd:1483] Starting web-interface on localhost:8085
2013-01-28 09:09:50,055::INFO::[_cplogging:55] [28/Jan/2013:09:09:50] ENGINE Bus STARTING
2013-01-28 09:09:50,064::INFO::[_cplogging:55] [28/Jan/2013:09:09:50] ENGINE Started monitor thread '_TimeoutMonitor'.
2013-01-28 09:09:50,167::INFO::[_cplogging:55] [28/Jan/2013:09:09:50] ENGINE Serving on localhost:8085
2013-01-28 09:09:50,169::INFO::[_cplogging:55] [28/Jan/2013:09:09:50] ENGINE Bus STARTED
2013-01-28 09:09:50,170::INFO::[panic:247] Lauching browser with http://localhost:8085/sabnzbd
2013-01-28 09:09:51,218::INFO::[SABnzbd:1552] Starting SABnzbd.py-0.7.9
2013-01-28 09:09:51,221::INFO::[dirscanner:274] Dirscanner starting up
2013-01-28 09:09:51,223::INFO::[urlgrabber:77] URLGrabber starting up
So, from my trusty PC, I goto
and get no response.
I ran sslscan again - no response.
My understanding from the QNAP forum is that Sab runs inside a wrapper but essentially runs as it normally would, upgrades apply correctly, and all that jazz.
However, I don't know what goes on behind-the-scenes here to determine what the wrapper configures in the NAS (firewalls and such). I suspect that the selected port needs to be opened as it's not reachable:
Code: Select all
$ nmap talia. -p8085
Starting Nmap 6.00 ( http://nmap.org ) at 2013-01-28 09:38 EST
Nmap scan report for talia. (10.0.0.2)
Host is up (0.00011s latency).
PORT STATE SERVICE
8085/tcp closed unknown
Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds
So I modify the new Sab config to use the old Sab port 8800 and start it running again. When starting up, it uses the 8800 port. Same thing - not reachable and shown as closed in nmap.
Should I post this one back on the QNAP forum?
Re: ssl_error_no_cypher_overlap
Posted: January 28th, 2013, 1:21 am
by sander
Wait: have you filled out 0.0.0.0 as listening host in the SABnzbd wizard? Double-check for that: can you access over plain HTTP?
Re: ssl_error_no_cypher_overlap
Posted: January 28th, 2013, 1:50 am
by teracow
I couldn't get any access to Sab via the browser. So I haven't been through the wizard config. My checks were only using HTTP.
Re: ssl_error_no_cypher_overlap
Posted: January 28th, 2013, 12:21 pm
by sander
teracow wrote:I couldn't get any access to Sab via the browser. So I haven't been through the wizard config. My checks were only using HTTP.
Make sure SAB is accessible from other systems, make sure HTTPS is running and try it from your webbrowser. And only if you get the same error message, run sslscanner against the HTTPS port of SAB.
HTH