The router I am using is RB2011iL running RouterOS 6.48.5. It has secure API service enabled on the default port and has no certificate specified - default out of the box configuration.
I tried Python client example listed here https://wiki.mikrotik.com/wiki/Manual:API_Python3#code but it failed during the connect in do_handshake with the message: Ssl.SSLError: [SSL : NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:1131). I tried changing ADH-AES128-SHA256 cipher to ADH-AES256-GCM-SHA384 (see on why below) but got the same error. Since ssl.wrap_socket is now deprecated I tried using the SSLContext variant:
Code: Select all
ctx = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
ctx.set_ciphers("ADH-AES256-GCM-SHA384")
s = ctx.wrap_socet(skt)
Calling
Code: Select all
for cipher in ctx.get_ciphers():
print(cipher)
I checked the server side using:
Code: Select all
nmap --script ssl-enum-ciphers -p 8729 <host>
which I think matches ADH-AES256-GCM-SHA384 which is why I was using it in the client.
Additionally I tried using openssl client to check the TLS connection:
Code: Select all
openssl s_client -connect <host>:8729
I also got this same error 40 from my C++ client that says that error code 40 is a handshake error due to a missing cipher.
Finally I used openssl parameter to explicitly specify the cipher ADH-AES256-GCM-SHA384 but got the same error.
BTW I do understand that not having a trusted certificate on the server is not a good practice etc. but it does beat using a non-secure API and thus has its merits. And I plan on configuring and supporting the certificates as well.
Any help with this would be greatly appreciated.
Tiony Ustigal