1

Dears~, My environment is: OS:Ubuntu 12.04.4 LTS Python:Python 2.7.3 When use ldap connect to AD server over ssl. I got this error "A TLS packet with unexpected length was received" I have got the package by tcpdump and find hello faild

Hello details

But when I use perl script in same environment is ok, and python script running in Ubuntu16 also connect successfully(only python in ubuntu12 not work) When successfully connected the hello request will bring more ciphers than Ubuntu12. Run well on Ubuntu16 When faild ,AD server could found error log

My test script is:

import ldap
TIMEOUT = 30
DEBUG_LEVEL = 8191
TRACE_LEVEL = 10
AD_HOST = "10.29.137.100"
USERNAME = "username"
PASSWORD = "password"

ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
ldap.set_option(ldap.OPT_DEBUG_LEVEL, 8191)

ldapConn = ldap.initialize("ldaps://" + AD_HOST + ":636", 
trace_level=TRACE_LEVEL)
ldapConn.set_option(ldap.OPT_PROTOCOL_VERSION, 3)
ldapConn.set_option(ldap.OPT_X_TLS_CIPHER_SUITE,'TLSv1:!NULL')
ldapConn.set_option(ldap.OPT_REFERRALS, 0)

ldapConn.set_option(ldap.OPT_NETWORK_TIMEOUT , TIMEOUT)
ldapConn.set_option(ldap.OPT_TIMEOUT , TIMEOUT)
ldapConn.simple_bind_s(USERNAME, PASSWORD)

My question is how to change ciphers in python scripts? I found ldapConn.set_option(ldap.OPT_X_TLS_CIPHER_SUITE,'TLSv1:!NULL') not work for me. and now I have no idea where setting these cipher values. or what third party depend I can upgrade to support more ciphers.

Thanks~~~

harry
  • 11
  • 2

2 Answers2

0

You've just hit the python 2/3 wall.

Your script is python3 that you try to run in a python 2.7 environment which is not backward compatible. Only option is to install python3 on Ubuntu 12 and run it there with python3.X.

An example is shown here.

ZF007
  • 3,708
  • 8
  • 29
  • 48
  • Thanks ZF007~ but both u12 and u16 are installed python2.7, I will try install 3.x on u12 but i'm not sure it can worked. – harry Feb 07 '18 at 08:03
  • Seems likely 3.x is set as default on your u16. Try asking at the command-line. Few examples of how to ask python are [here](https://askubuntu.com/questions/505081/what-version-of-python-do-i-have). – ZF007 Feb 07 '18 at 08:11
  • If this answer and comments helped you then check [here](https://stackoverflow.com/help/someone-answers) what to do next in the future on SO ;-) – ZF007 Feb 07 '18 at 08:17
  • Thanks you,I confirm that both u12 and u16 are using python2.7(u16 installed python3 but not used here) – harry Feb 08 '18 at 02:17
  • Good to read the issue is solved. As you are new to SO check **[this](https://stackoverflow.com/help/someone-answers)** page out on "What should I do when someone answers my question?". Enjoy SO ;-) – ZF007 Feb 08 '18 at 07:19
  • Sorry for my expression in last comments, this issue is not solved yet. – harry Feb 11 '18 at 07:47
  • Thus you use the same python version under u12 and u16. Then 2/3 is not the bottleneck for now in your test-script. Check if `ldap` and `ssl` are the same versions as well... if not, check which version is used on each system. – ZF007 Feb 11 '18 at 11:48
0

Like me today, you're probably in the situation explained here: https://github.com/python-ldap/python-ldap/issues/55 (and here https://github.com/pyldap/pyldap/issues/53):

Several, perhaps all set_option(OPT_X_TLS_*, ...) calls require a final set_option(ldap.OPT_X_TLS_NEWCTX, 0) call to submit all previous set_option() calls. Without OPT_X_TLS_NEWCTX, settings are effectively ignored.

=> You can either add ldap.set_option(ldap.OPT_X_TLS_CIPHER_SUITE,'TLSv1:!NULL') before the initialize call, or add ldapConn.set_option(ldap.OPT_X_TLS_NEWCTX, 0) before the bind.

u890106
  • 165
  • 5