[RESOLVED] ssl_error_no_cypher_overlap

[teracow]

Hi all,

just recently started getting this error when attempting to login via HTTPS to Sab (v0.7.9) via Firefox (v18.0.1)


from the Sab log:

Code: Select all

2013-01-28 05:44:34,810::INFO::[_cplogging:55] [28/Jan/2013:05:44:34] ENGINE Bus STARTING
2013-01-28 05:44:34,886::INFO::[_cplogging:55] [28/Jan/2013:05:44:34] ENGINE Started monitor thread '_TimeoutMonitor'.
2013-01-28 05:44:34,989::INFO::[_cplogging:55] [28/Jan/2013:05:44:34] ENGINE Serving on 0.0.0.0:8800
2013-01-28 05:44:35,097::INFO::[_cplogging:55] [28/Jan/2013:05:44:35] ENGINE Serving on 0.0.0.0:9090
2013-01-28 05:44:35,099::INFO::[_cplogging:55] [28/Jan/2013:05:44:35] ENGINE Bus STARTED

which isn't showing my attempt to access the login page via HTTPS (port 9090).

HTTP (via port 8800) login works fine.

my server.cert and server.key files appear to be fine as SickBeard logs in correctly using this same certificate.

After spotting a post about a similar issue, I've checked in FireFox about:config that:

security.ssl3.rsa_rc2_40_md5 = true
security.ssl3.rsa_rc4_40_md5 = true

This setup WAS working, then suddenly stopped. The only change I had made was to alter the autoProcessTV.cfg file to communicate with SickBeard using SSL (e.g. ssl=1)

Does anyone know what I'm doing wrong?

Thanks.

[sander]

I have no idea. Have you tried Chrome?

[teracow]

I'm running Kubuntu 12.10 so I installed Chromium...

[shypike]

Did you switch from http to https using the same port and the same browser?
Browsers can be very stubborn about such changes.
You should clear the browser's cache and try again.

[teracow]

no, I had HTTP working on 8800, then enabled HTTPS on 9090. HTTP access worked for several days and HTTPS access worked for 2 days.

Then yesterday, the HTTPS access stopped working. It doesn't work on any machine on my LAN or from my tablet or phone.

The Chromium install I did this morning started with an empty cache. The only page I tried to access with it was Sab via HTTPS. It failed with the provided error. So, it's unlikely to be a browser-cache issue.

[sander]

Is the problem on the browser's side, or on the server (SAB) side?

Maybe you can run sslscan against SABnzbd?

Code: Select all

sander@R540:~$ sslscan --no-failed localhost:9090
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server localhost on port 9090

  Supported Server Cipher(s):
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  256 bits  CAMELLIA256-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  128 bits  SEED-SHA
    Accepted  SSLv3  128 bits  CAMELLIA128-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  SSLv3  56 bits   DES-CBC-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  256 bits  CAMELLIA256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  SEED-SHA
    Accepted  TLSv1  128 bits  CAMELLIA128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   DES-CBC-SHA

  Prefered Server Cipher(s):
    SSLv3  256 bits  AES256-SHA
    TLSv1  256 bits  AES256-SHA

  SSL Certificate:
    Version: 0
    Serial Number: 1306651651
    Signature Algorithm: md5WithRSAEncryption
    Issuer: /CN=Certificate Authority
    Not valid before: May 29 06:47:31 2011 GMT
    Not valid after: May 26 06:47:31 2021 GMT
    Subject: /CN=SABnzbd
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Public-Key: (1024 bit)
      Modulus:
          00:a1:76:75:7b:59:4a:ab:e7:4a:b4:dd:4d:85:0a:
          ed:30:b4:92:2b:69:2c:17:3f:ea:02:f9:70:3e:f0:
          47:c1:a9:25:36:39:47:e5:00:89:ee:a8:f5:ce:33:
          e7:d0:5b:b1:92:ca:5f:8f:d1:11:d2:3d:df:a3:65:
          38:9a:31:71:ec:fc:03:16:7f:e5:c9:ba:89:3f:dd:
          7e:d7:81:e8:0a:32:3b:2e:71:ff:1f:e4:fa:6b:e4:
          d1:21:aa:c0:39:d7:13:d8:c2:c2:1e:4b:61:db:79:
          92:63:14:4d:74:14:21:85:27:4b:f6:8a:ba:9c:2b:
          d3:d3:b0:54:30:31:51:dd:b9
      Exponent: 65537 (0x10001)
  Verify Certificate:
    unable to get local issuer certificate
sander@R540:~$ 

[sander]

PS: do you use your own server.cert and server.key ? If so, what happens if you don't use them (so go back to a more default SAB)?

[teracow]

okiedokie... here's the output when testing the HTTPS port on Sab:

Code: Select all

$ sslscan --no-failed talia.:9090
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|

                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server talia. on port 9090

  Supported Server Cipher(s):

  Prefered Server Cipher(s):

and for comparison with SickBeard:

Code: Select all

$ sslscan --no-failed talia.:7071
                   _
           ___ ___| |___  ___ __ _ _ __
          / __/ __| / __|/ __/ _` | '_ \
          \__ \__ \ \__ \ (_| (_| | | | |
          |___/___/_|___/\___\__,_|_| |_|
                                                                                                                                                                                    
                  Version 1.8.2
             http://www.titania.co.uk
        Copyright Ian Ventura-Whiting 2009

Testing SSL server talia. on port 7071

  Supported Server Cipher(s):
    Accepted  SSLv3  256 bits  AES256-SHA
    Accepted  SSLv3  168 bits  DES-CBC3-SHA
    Accepted  SSLv3  128 bits  AES128-SHA
    Accepted  SSLv3  128 bits  RC4-SHA
    Accepted  SSLv3  128 bits  RC4-MD5
    Accepted  SSLv3  56 bits   DES-CBC-SHA
    Accepted  TLSv1  256 bits  AES256-SHA
    Accepted  TLSv1  168 bits  DES-CBC3-SHA
    Accepted  TLSv1  128 bits  AES128-SHA
    Accepted  TLSv1  128 bits  RC4-SHA
    Accepted  TLSv1  128 bits  RC4-MD5
    Accepted  TLSv1  56 bits   DES-CBC-SHA

  Prefered Server Cipher(s):
    SSLv3  256 bits  AES256-SHA
    TLSv1  256 bits  AES256-SHA

  SSL Certificate:
    Version: 0
    Serial Number: 1359180701
    Signature Algorithm: md5WithRSAEncryption
    Issuer: /CN=Certificate Authority
    Not valid before: Jan 26 06:11:42 2013 GMT
    Not valid after: Jan 24 06:11:42 2023 GMT
    Subject: /CN=SickBeard
    Public Key Algorithm: rsaEncryption
    RSA Public Key: (1024 bit)
      Public-Key: (1024 bit)
      Modulus:
          00:d1:af:b9:7f:6f:1d:e8:33:a8:49:9b:e6:59:52:
          6e:8c:96:5d:87:db:0f:78:d2:9a:73:b1:55:35:f5:
          70:97:35:67:af:d8:f7:a7:95:05:11:6c:52:cd:91:
          91:4e:ad:eb:95:06:99:d4:d0:73:b3:c9:38:2f:9c:
          ef:8c:49:ab:b8:4a:f8:ed:e6:c6:70:b3:71:74:56:
          0e:da:9e:ef:c0:ce:9a:93:f0:e4:8d:a3:7a:0b:ab:
          31:bc:0c:ec:b5:f5:66:77:55:1b:72:9e:12:bd:43:
          76:ef:22:10:e3:47:ef:06:73:a8:22:6b:81:ba:07:
          e0:7a:c8:01:64:6a:f5:bb:2b
      Exponent: 65537 (0x10001)
  Verify Certificate:
    unable to get local issuer certificate

I'm just using the default cert with Sab. I haven't yet generated my own.

[sander]

So ... what is your own conclusion from the first sslscan?

[teracow]

no cipher(s) available?

[sander]

no cipher(s) available?

That would be my guess too.

So the problem is on the side of SAB? In the program files, in the sabnzbd.ini, in a library, or something else?

I would do this: move sabnzbd.ini, get a fresh SAB tar.gz, unpack it in some directory, run it (should start the wizard), and then check if HTTPS works correctly.

[teracow]

okiedokie... at this point I should probably mention that this Sab is running on a QNAP NAS (installed via qpkg).

I downloaded the current Sab python scripts, unpacked them then moved them to the NAS.

I stopped the current Sab service. Then started the new install:

Code: Select all

# python2.6 SABnzbd.py 
2013-01-28 09:09:49,973::INFO::[SABnzbd:1256] --------------------------------
2013-01-28 09:09:49,974::INFO::[SABnzbd:1257] SABnzbd.py-0.7.9 (rev=c237ddfef464649ec3713d43c441def6c8656f46)
2013-01-28 09:09:49,974::INFO::[SABnzbd:1269] Platform = posix
2013-01-28 09:09:49,975::INFO::[SABnzbd:1270] Python-version = 2.6.8 (unknown, Apr 12 2012, 20:17:18) 
[GCC 4.2.1]
2013-01-28 09:09:49,976::INFO::[SABnzbd:1271] Arguments = SABnzbd.py
2013-01-28 09:09:49,977::INFO::[SABnzbd:1284] Read INI file /root/.sabnzbd/sabnzbd.ini
2013-01-28 09:09:49,978::INFO::[misc:362] download_dir directory: /root/Downloads/incomplete does not exist, try to create it
2013-01-28 09:09:49,981::INFO::[__init__:928] Loading data for bookmarks.sab from /root/.sabnzbd/admin/bookmarks.sab
2013-01-28 09:09:49,982::INFO::[__init__:931] /root/.sabnzbd/admin/bookmarks.sab missing, trying old cache
2013-01-28 09:09:49,983::INFO::[__init__:934] /root/.sabnzbd/cache/bookmarks.sab missing
2013-01-28 09:09:49,984::INFO::[__init__:928] Loading data for rss_data.sab from /root/.sabnzbd/admin/rss_data.sab
2013-01-28 09:09:49,984::INFO::[__init__:931] /root/.sabnzbd/admin/rss_data.sab missing, trying old cache
2013-01-28 09:09:49,985::INFO::[__init__:934] /root/.sabnzbd/cache/rss_data.sab missing
2013-01-28 09:09:49,986::INFO::[__init__:928] Loading data for totals9.sab from /root/.sabnzbd/admin/totals9.sab
2013-01-28 09:09:49,987::INFO::[__init__:931] /root/.sabnzbd/admin/totals9.sab missing, trying old cache
2013-01-28 09:09:49,988::INFO::[__init__:934] /root/.sabnzbd/cache/totals9.sab missing
2013-01-28 09:09:49,992::INFO::[postproc:90] Loading postproc queue
2013-01-28 09:09:49,993::INFO::[__init__:928] Loading data for postproc1.sab from /root/.sabnzbd/admin/postproc1.sab
2013-01-28 09:09:49,994::INFO::[__init__:931] /root/.sabnzbd/admin/postproc1.sab missing, trying old cache
2013-01-28 09:09:49,995::INFO::[__init__:934] /root/.sabnzbd/cache/postproc1.sab missing
2013-01-28 09:09:49,996::INFO::[__init__:928] Loading data for queue9.sab from /root/.sabnzbd/admin/queue9.sab
2013-01-28 09:09:49,997::INFO::[__init__:931] /root/.sabnzbd/admin/queue9.sab missing, trying old cache
2013-01-28 09:09:49,998::INFO::[__init__:934] /root/.sabnzbd/cache/queue9.sab missing
2013-01-28 09:09:50,000::INFO::[__init__:928] Loading data for watched_data.sab from /root/.sabnzbd/admin/watched_data.sab
2013-01-28 09:09:50,000::INFO::[__init__:931] /root/.sabnzbd/admin/watched_data.sab missing, trying old cache
2013-01-28 09:09:50,001::INFO::[__init__:934] /root/.sabnzbd/cache/watched_data.sab missing
2013-01-28 09:09:50,004::INFO::[downloader:209] Resuming
2013-01-28 09:09:50,025::INFO::[__init__:330] All processes started
2013-01-28 09:09:50,026::INFO::[SABnzbd:334] Web dir is /share/MD0_DATA/Public/SABnzbd-0.7.9/interfaces/Plush
2013-01-28 09:09:50,027::INFO::[SABnzbd:334] Web dir is /share/MD0_DATA/Public/SABnzbd-0.7.9/interfaces/Config
2013-01-28 09:09:50,047::INFO::[SABnzbd:463] _yenc module... found!
2013-01-28 09:09:50,048::INFO::[SABnzbd:471] par2 binary... found (/opt/bin/par2)
2013-01-28 09:09:50,049::INFO::[SABnzbd:479] unrar binary... found (/usr/local/sbin/unrar)
2013-01-28 09:09:50,049::INFO::[SABnzbd:484] unzip binary... found (/usr/bin/unzip)
2013-01-28 09:09:50,050::INFO::[SABnzbd:492] nice binary... NOT found!
2013-01-28 09:09:50,051::INFO::[SABnzbd:494] ionice binary... found (/usr/bin/ionice)
2013-01-28 09:09:50,051::INFO::[SABnzbd:499] pyOpenSSL... found (True)
2013-01-28 09:09:50,054::INFO::[SABnzbd:1483] Starting web-interface on localhost:8085
2013-01-28 09:09:50,055::INFO::[_cplogging:55] [28/Jan/2013:09:09:50] ENGINE Bus STARTING
2013-01-28 09:09:50,064::INFO::[_cplogging:55] [28/Jan/2013:09:09:50] ENGINE Started monitor thread '_TimeoutMonitor'.
2013-01-28 09:09:50,167::INFO::[_cplogging:55] [28/Jan/2013:09:09:50] ENGINE Serving on localhost:8085
2013-01-28 09:09:50,169::INFO::[_cplogging:55] [28/Jan/2013:09:09:50] ENGINE Bus STARTED
2013-01-28 09:09:50,170::INFO::[panic:247] Lauching browser with http://localhost:8085/sabnzbd
2013-01-28 09:09:51,218::INFO::[SABnzbd:1552] Starting SABnzbd.py-0.7.9
2013-01-28 09:09:51,221::INFO::[dirscanner:274] Dirscanner starting up
2013-01-28 09:09:51,223::INFO::[urlgrabber:77] URLGrabber starting up

So, from my trusty PC, I goto

Code: Select all

http://talia.:8085

and get no response.

I ran sslscan again - no response.

My understanding from the QNAP forum is that Sab runs inside a wrapper but essentially runs as it normally would, upgrades apply correctly, and all that jazz.

However, I don't know what goes on behind-the-scenes here to determine what the wrapper configures in the NAS (firewalls and such). I suspect that the selected port needs to be opened as it's not reachable:

Code: Select all

$ nmap talia. -p8085

Starting Nmap 6.00 ( http://nmap.org ) at 2013-01-28 09:38 EST
Nmap scan report for talia. (10.0.0.2)
Host is up (0.00011s latency).
PORT     STATE  SERVICE
8085/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.03 seconds

So I modify the new Sab config to use the old Sab port 8800 and start it running again. When starting up, it uses the 8800 port. Same thing - not reachable and shown as closed in nmap.

Should I post this one back on the QNAP forum?

[sander]

Wait: have you filled out 0.0.0.0 as listening host in the SABnzbd wizard? Double-check for that: can you access over plain HTTP?

[teracow]

I couldn't get any access to Sab via the browser. So I haven't been through the wizard config. My checks were only using HTTP.

[sander]

I couldn't get any access to Sab via the browser. So I haven't been through the wizard config. My checks were only using HTTP.

Make sure SAB is accessible from other systems, make sure HTTPS is running and try it from your webbrowser. And only if you get the same error message, run sslscanner against the HTTPS port of SAB.

HTH