I have no problem using non secure API but when I attempted to use RouterOS secure API I couldn’t pass the handshake failure.
The router I am using is RB2011iL running RouterOS 6.48.5. It has secure API service enabled on the default port and has no certificate specified - default out of the box configuration.
I tried Python client example listed here https://wiki.mikrotik.com/wiki/Manual:API_Python3#code but it failed during the connect in do_handshake with the message: Ssl.SSLError: [SSL : NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1131). I tried changing ADH-AES128-SHA256 cipher to ADH-AES256-GCM-SHA384 (see on why below) but got the same error. Since ssl.wrap_socket is now deprecated I tried using the SSLContext variant:
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
ctx.set_ciphers("ADH-AES256-GCM-SHA384")
s = ctx.wrap_socet(skt)
But got the same error.
Calling
for cipher in ctx.get_ciphers():
print(cipher)
does list ADH-AES256-GCM-SHA384 cipher so the client side seems to be fine.
I checked the server side using:
nmap --script ssl-enum-ciphers -p 8729 <host>
and it shows among other ciphers that for TLSv1.2 TLS_DH_anon_WITH_AES256_GCM_SHA384 is supported
which I think matches ADH-AES256-GCM-SHA384 which is why I was using it in the client.
Additionally I tried using openssl client to check the TLS connection:
openssl s_client -connect <host>:8729
But got a similar handshake error: sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1543: SSL alert number 40
I also got this same error 40 from my C++ client that says that error code 40 is a handshake error due to a missing cipher.
Finally I used openssl parameter to explicitly specify the cipher ADH-AES256-GCM-SHA384 but got the same error.
BTW I do understand that not having a trusted certificate on the server is not a good practice etc. but it does beat using a non-secure API and thus has its merits. And I plan on configuring and supporting the certificates as well.
Any help with this would be greatly appreciated.
Tiony Ustigal