Notice for Linode users
This is an announcement for users of the Linode driver for Libcloud who might have started experiencing issues recently.
Background
A couple of Libcloud users have reported that they have recently started experiencing issues when talking to the Linode API using Libcloud. They have received messages similar to the one shown below.
socket.error: [Errno 104] Connection reset by peer
It turns out that the issue is related to the used SSL / TLS version. For compatibility and security reasons (Libcloud also supports older Python versions), Libcloud uses TLS v1.0 by default.
Linode recently dropped support for TLS v1.0 and it now only support TLS >= v1.1. This means Libcloud won’t work out of the box anymore.
Solution
If you are experiencing this issue, you should update your code to use TLS v1.2 or TLS v1.1 as shown below.
import ssl
import libcloud.security
libcloud.security.SSL_VERSION = ssl.PROTOCOL_TLSv1_1
# or even better if your system and Python version supports TLS v1.2
libcloud.security.SSL_VERSION = ssl.PROTOCOL_TLSv1_2
# Instantiate and work with the Linode driver here...
Keep in mind that for this to work you need to have a recent version of OpenSSL installed on your system and you need to use Python >= 3.4 or Python 2.7.9.
For more details please see recently updated documentation. If you are still experiencing issues or have any questions, please feel free to reach us via the mailing list or IRC.
Note: Even if you are not experiencing any issues, it’s generally a good idea to use the highest version of TLS supported by your system and the provider you use.
Quick note on ssl.PROTOCOL_SSLv23
Python uses ssl.PROTOCOL_SSLv23
constant by default. When this constant is
used, it will let client known to pick the highest protocol version which both
the client and server support (it will be selecting between SSL v3.0, TLS v1.0,
TLS v1.1 and TLS v1.2).
We use ssl.PROTOCOL_TLSv1
instead of ssl.PROTOCOL_SSLv23
for security
and compatibility reasons. SSL v3.0 is considered broken and unsafe and using
ssl.PROTOCOL_SSLv23
can result in an increased risk for a downgrade attack.
Thanks
Special thanks to Jacob Riley, Steve V, Heath Naylor and everyone from LIBCLOUD-791 who helped debug and track down the root cause of this issue.