SSL: WRONG_VERSION_NUMBER

jeff.kenyon
jeff.kenyon LSEG
in Refinitiv Data Platform
A month or two back, I posted a question regarding connecting to RDP from behind a proxy server. The error stack had indicated a timeout issue, which led me to believe that the proxy server was preventing contact. Beyond the import of the API, the sum total of the RDP API calls in my script was a single line:

default_session = rdp.open_platform_session(app_id,rdp.GrantPassword(username = RDP_LOGIN,password = RDP_PASSWORD))

(The script succeeds in making the connection on my laptop, but not on my production server, which is behind a proxy server.)

Following up with the network group, we discovered that the proxy server was allowing the contact, but immediately closed the connection, due to a fatal protocol mismatch (see attached screen shot of proxy server network traffic: contact is line 9, with the protocol mismatch error immediately after).

In the course of trying to investigate that issue, I upgraded my RDP version, and my Python version. This had the impact of improving the error message to something far less misleading:

17:15:30 D:\TSRR>C:\Users\U8009777\AppData\Local\Programs\Python\Python39\python Test.py
Python version: 3.9.0 (tags/v3.9.0:9cf6752, Oct 5 2020, 15:34:40) [MSC v.1927 64 bit (AMD64)]
SSL version: OpenSSL 1.1.1g 21 Apr 2020
RDP version: 1.0.0a7
2020-11-13 17:17:57,716 - Session session.platform - Thread 5972 | MainThread
[Error -1 - ConnectError] b'[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1122)'

This is the point I'm currently stuck at. I have no idea what security protocol the RDP (AWS) server is expecting. Once I do find out, I have no idea how to modify either (a) the RDP API settings, (b) my Python session settings, and/or (c) my client's security setup, to accomodate RDP in successfully connecting.

Any guidance would be appreciated.
Tagged:

Best Answer

  • moragodkrit.chumsri_1
    moragodkrit.chumsri_1 LSEG
    Answer ✓

    Update from Jeff.


    The problem is now resolved. It seems to be an issue from the HTTPS proxy on the windows server.

    We change it from

    HTTPS_PROXY=https://webproxy.XXXX.services:xxx

    To:

    HTTPS_PROXY=http://webproxy.XXXXXX.services:xxx


    Now the test RDP script now connects, and the curl call works:

    * Uses proxy env variable https_proxy == 'http://webproxy.XXXX.services:XXX';

    * Trying XXXXXX:XXX...

    * Connected to webproxy.pln.corp.services (xx.xx.xx.xx) port xx (#0)

    * allocate connect buffer!

    * Establish HTTP proxy tunnel to api.edp.thomsonreuters.com:443

    > CONNECT api.edp.thomsonreuters.com:443 HTTP/1.1

    > Host: api.edp.thomsonreuters.com:443

    > User-Agent: curl/7.73.0

    > Proxy-Connection: Keep-Alive

    >

    < HTTP/1.0 200 Connection established

    <

    * Proxy replied 200 to CONNECT request

    * CONNECT phase completed!

    * ALPN, offering h2

    * ALPN, offering http/1.1

    * successfully set certificate verify locations:

    * CAfile: D:\curl-7.73.0-win64-mingw\bin\curl-ca-bundle.crt

    * CApath: none

    * TLSv1.3 (OUT), TLS handshake, Client hello (1):

    * CONNECT phase completed!

    * CONNECT phase completed!

    * TLSv1.3 (IN), TLS handshake, Server hello (2):

    * TLSv1.2 (IN), TLS handshake, Certificate (11):

    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):

    * TLSv1.2 (IN), TLS handshake, Server finished (14):

    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):

    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):

    * TLSv1.2 (OUT), TLS handshake, Finished (20):

    * TLSv1.2 (IN), TLS handshake, Finished (20):

    * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256

    * ALPN, server accepted to use h2

    * Server certificate:

    * subject: C=US; postalCode=10036; ST=NY; L=New York; street=3 Times Square; O=

    Thomson Reuters Inc; OU=EDS Request Response; CN=api.refinitiv.com

    * start date: Jul 29 00:00:00 2019 GMT

    * expire date: Jul 28 23:59:59 2021 GMT

    * subjectAltName: host "api.edp.thomsonreuters.com" matched cert's "api.edp.tho

    msonreuters.com"

    * issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMOD

    O RSA Organization Validation Secure Server CA

    * SSL certificate verify ok.

    * Using HTTP2, server supports multi-use

    * Connection state changed (HTTP/2 confirmed)

    * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0


    * Using Stream ID: 1 (easy handle 0x3a68c98af0)

    > POST /auth/oauth2/v1/token HTTP/2

    > Host: api.edp.thomsonreuters.com

    > user-agent: curl/7.73.0

    > accept: application/json

    > content-type: application/x-www-form-urlencoded

    > content-length: 105

    >

    * Connection state changed (MAX_CONCURRENT_STREAMS == 128)!

    * We are completely uploaded and fine

    < HTTP/2 400

    < date: Tue, 17 Nov 2020 17:55:11 GMT

    < content-type: application/json

    < content-length: 204

    < access-control-allow-origin: *

    < server: edsgw

    < x-amzn-trace-id: Root=XXXXXXXXXXXXXXXXXXXXXXXXXX

    < x-served-by: region=us-east-1; cid=

    < x-tr-requestid: XXXXXXXXXXXXXXXXXXXXXXXXXX

    <

    {"error":{"id":"XXXXXXXXXXXXXXXXXXXXXXXXX","code":"400","message":"Va

    lidation error","status":"Bad Request","errors":[{"key":"grant_type","reason":"M

    issing required parameter 'grant_type'"}]}}

    * Connection #0 to host webproxy.XXXXXXXXXXXXXXXXXXXX.services left intact



Answers

  • jeff.kenyon
    jeff.kenyon LSEG
    Sorry, didn't realize that I wasn't going to have a chance to properly format my question, or add the screen shot of the network traffic through the proxy server. Please contact me via email and I can provide.
  • moragodkrit.chumsri_1
    moragodkrit.chumsri_1 LSEG

    @jeff.kenyon

    A bit confusing, I understand that you can run the same app from your laptop, but the problem found when running the python codes on the windows server. Is this correct?


    • Can you login to https://apidocs.refinitiv.com/ from the windows server?
    • Is this possible to clean remove python and the RDP library and then re-install 3.8 with the libs? I would suggest using conda to create a separate environment to avoid a problem with underlying libs that may update in the future.
    • Can you verify the connection to the server by using the below curl command from the windows server?
    curl --data-urlencode "username=<user>&password=<password>&grant_type=password≻ope=trapi" -X POST -H "Accept: application/json" -H "Content-Type: application/x-www-form-urlencoded" -v https://api.edp.thomsonreuters.com/auth/oauth2/v1/token

Categories