Connection Reset by Peer

[SL229844]

I'm running the python client, and have the following issue with the sample code:

Code:

Python 2.7.3 (default, Jun 21 2012, 16:13:27) 
Type "copyright", "credits" or "license" for more information.

IPython 0.12.1 -- An enhanced Interactive Python.
?         -> Introduction and overview of IPython's features.
%quickref -> Quick reference.
help      -> Python's own help system.
object?   -> Details about 'object', use 'object??' for extra details.

In [1]: import SoftLayer.API

In [2]: client = SoftLayer.API.Client('SoftLayer_Account', None, 'XXX', 'XXX')

In [3]: account = client.getObject()

which will hang for a good while, and eventually die with the following:

<snip massive stack trace />

Code:

/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc in __init__(self, sock, keyfile, certfile, server_side, cert_reqs, ssl_version, ca_certs, do_handshake_on_connect, suppress_ragged_eofs, ciphers)
    141                                         ciphers)
    142             if do_handshake_on_connect:
--> 143                 self.do_handshake()
    144         self.keyfile = keyfile
    145         self.certfile = certfile

/opt/local/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/ssl.pyc in do_handshake(self)
    303         """Perform a TLS/SSL handshake."""
    304 
--> 305         self._sslobj.do_handshake()
    306 
    307     def _real_connect(self, addr, return_errno):

error: [Errno 54] Connection reset by peer

trying to curl the base url for the service, using a version of curl compiled against the same version of openssl used by python I get the following:

Code:

$ curl -vvv https://api.softlayer.com/xmlrpc/v3/
* About to connect() to api.softlayer.com port 443 (#0)
*   Trying 66.228.119.116...
* connected
* Connected to api.softlayer.com (66.228.119.116) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):

<massive wait for timeout here />

* Unknown SSL protocol error in connection to api.softlayer.com:443 
* Closing connection #0

Anyone else run into this?

*tested other https urls with this version of curl and they work well

[avankirk]

Having taken a look at this, I'm not able to replicate the issue on Ubuntu 12.04.

Code:

# ./sltest.py
{'accountStatusId': '(Redacted)',
 'address1': '(Redacted)',
 'allowedPptpVpnQuantity': '(Redacted)',
 'brandId': '(Redacted)',
 'city': '(Redacted)',
 'claimedTaxExemptTxFlag': '(Redacted)',
 'companyName': '(Redacted)',
 'country': '(Redacted)',
 'createDate': '(Redacted)',
 'email': '(Redacted)',
 'firstName': '(Redacted)',
 'id': '(Redacted)',
 'isReseller': '(Redacted)',
 'lastName': '(Redacted)',
 'lateFeeProtectionFlag': '(Redacted)',
 'modifyDate': '(Redacted)',
 'officePhone': '(Redacted)',
 'postalCode': '(Redacted)',
 'state': '(Redacted)',
 'statusDate': '(Redacted)'}

Code:

# curl -vvv https://api.softlayer.com/xmlrpc/v3/
* About to connect() to api.softlayer.com port 443 (#0)
*   Trying 66.228.119.116... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5
* Server certificate:
*        subject: serialNumber=qs6Aq9Tiz-VcG-ljOlAuSGk7SQjTp2O3; C=US; O=api.softlayer.com; OU=GT04563713; OU=See www.rapidssl.com/resources/cps (c)12; OU=Domain Control Validated - RapidSSL(R); CN=api.softlayer.com
*        start date: 2012-04-18 15:17:12 GMT
*        expire date: 2014-06-20 05:29:30 GMT
*        subjectAltName: api.softlayer.com matched
*        issuer: C=US; O=GeoTrust, Inc.; CN=RapidSSL CA
*        SSL certificate verify ok.
> GET /xmlrpc/v3/ HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: api.softlayer.com
> Accept: */*
>
< HTTP/1.1 200 OK
< X-Backside-Transport: OK OK
< Date: Mon, 02 Jul 2012 15:52:47 GMT
< Server: Apache
< Content-Type: text/xml
< X-Client-IP: 192.168.67.115
< Connection: close
< Content-Length: 368
<
<?xml version="1.0" encoding="iso-8859-1"?>
<methodResponse>
<fault>
 <value>
  <struct>
   <member>
    <name>faultCode</name>
    <value>
     <string>-32601</string>
    </value>
   </member>
   <member>
    <name>faultString</name>
    <value>
     <string>Service does not exist</string>
    </value>
   </member>
  </struct>
 </value>
</fault>
</methodResponse>
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

It's possible that this may have been a temporary issue, but if it's still occurring for you it may be an issue with the local SSL toolkit on the system you're connecting from.

If you're still having problems, try reinstalling your SSL toolkit.

[kyleward]

Hello,

I have ran into the same problem using Debian Wheezy. It seems this error occurs only on openssl versions 1.x as the python client on a system using openssl version 0.9.8 this error does not occur.

If you edit /usr/lib/python2.7/ssl.py correctly then the client works without error.

You will see a line that looks like this:

Code:

_DEFAULT_CIPHERS = 'DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2'

If you just comment that line out and add this code instead then everything works fine:

Code:

_DEFAULT_CIPHERS = 'RC4-MD5'

Try that and let us know.

Regards,
Kyle W.
SoftLayer CSA

[jpr5]

Works most of the time, but not always. I'd say fails 20% of the time.

Some demo Ruby 1.8.7 code using OpenSSL 1.0.1c 10 May 2012:

Quote:

require 'net/http'
require 'net/https'

Net::HTTP.class_eval { ssl_context_accessor :ciphers }

foo = URI("https://api.softlayer.com/")
http = Net::HTTP.new(foo.host, foo.port)
http.use_ssl = true
http.ciphers = 'RC4-MD5'
http.set_debug_output $stdout

begin
response = http.request(Net::HTTP::Get.new(foo.request_uri))
rescue => e
puts e.inspect
end

When it fails, I get:

Quote:

#<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate A: decryption failed or bad record mac>

Debugging it further I see that this happens during the SSL handshake, before the server cert is ever verified.

We integrate with several other sites in addition to SoftLayer - Zerigo, Rackspace Cloud, etc. By now everyone else we use has this fixed 100%. Really frustrating.

[gbock]

There will be an upcoming maintenance to address the issue.

[gbock]

This should be resolved.