mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Discussion topics related to mobile applications and ZoneMinder Event Server (including machine learning)
Post Reply
Farm_Server
Posts: 11
Joined: Wed Sep 02, 2020 1:37 pm

mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Farm_Server »

First of, big sad the pliablepixels ran out of time to support this. I wish them the best.


Anyways, I am having a rather frustrating error. Since all of this is now forked, I am referring to pliablepixels repo not the newer forked version(s).

I am on debian 11 python 3.9.2 and openssl 1.1.1k (standard debian stable stuff)

I have zmeventserver with machine learning hooks running and that seems to work ok from what I can tell, it has its own user in zoneminder 'objectuser' and the websocks listens on port 9000 with a self signed certificate. runs great.

After installing the mlapi I assigned it its own user 'ml_user' in zoneminder and created a user by running mlapi_dbuser.py as per the directions

When I looked at the zoneminder logs after it was running I got this error whenever an object was spotted by mlapi on the live feed for zm_detect.py @ line 405

Code: Select all

Error with remote mlapi:HTTPSConnectionPool(host='192.168.1.1', port=5000): Max retries exceeded with url: /api/v1/login (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1123)')))
After some digging it seems this is a misleading error generated by openssl and means that it cant get an ssl cert, not that it is the wrong version. To test this I started python 3 and ran these commands:

Code: Select all

# python3
Python 3.9.2 (default, Feb 28 2021, 17:03:44) 
[GCC 10.2.1 20210110] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl
>>> ssl.get_server_certificate(('192.168.1.1',5000))
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.9/ssl.py", line 1484, in get_server_certificate
    with context.wrap_socket(sock) as sslsock:
  File "/usr/lib/python3.9/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.9/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/usr/lib/python3.9/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1123)
problem reproduced, so I try on other known working ports, 9000 and 443

Code: Select all

>>> ssl.get_server_certificate(('192.1681.1',9000))
'-----BEGIN CERTIFICATE-----\certificate gibberish\n-----END CERTIFICATE-----\n'
>>> ssl.get_server_certificate(('192.168.1.1',443))
'-----BEGIN CERTIFICATE-----\certificate gibberish\n-----END CERTIFICATE-----\n'
So needless to say I am a little confused, as python3 can clearly get the cert on these ports no problem. I am using ufw and have rules for 443, 9000, and 5000 that are all the same besides port number, so 5000 should work. I have checked the spelling and settings between objectconfig.ini, secrets.ini, and mlapiconfig.ini to see if there was a spelling error or different setting and they all seemed to be good.

Any help is appreciated, thanks
Magic919
Posts: 1381
Joined: Wed Sep 18, 2013 6:56 am

Re: mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Magic919 »

Can you just run a zm_detect.py against ZMES and check the debug.
-
Farm_Server
Posts: 11
Joined: Wed Sep 02, 2020 1:37 pm

Re: mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Farm_Server »

Can you elaborate?

I see that zm_detect.py is part of zmeventnotification and that is working. Is this process being held up by zmes and blocking it from mlapi?
Farm_Server
Posts: 11
Joined: Wed Sep 02, 2020 1:37 pm

Re: mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Farm_Server »

Will do asap.

I am a bit confused about mlapi being a separate module or an add in function. Because of that confusion I just did not think to even look at zmes debugging since it seemed to be working without error before I installed the mlapi.
Magic919
Posts: 1381
Joined: Wed Sep 18, 2013 6:56 am

Re: mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Magic919 »

MLAPI is a separate item. You can install and run it and nothing happens.

To use it, you reconfigure ZMES and point it to MLAPI. Hence testing via ZMES using debug.
-
Farm_Server
Posts: 11
Joined: Wed Sep 02, 2020 1:37 pm

Re: mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Farm_Server »

I think I fixed it.

Running the command (with an event and monitor selected that had known objects to detect)

Code: Select all

sudo -u www-data /var/lib/zmeventnotification/bin/zm_detect.py --config /etc/zm/objectconfig.ini  --eventid <eid> --monitorid <mid> --debug
as well as me running it as mlapiconfig.ini

Code: Select all

sudo -u www-data /var/lib/zmeventnotification/bin/zm_detect.py --config /var/lib/zmeventnotification/mlapi/mlapiconfig.ini  --eventid <eid> --monitorid <mid> --debug
continued to result in the [SSL:WRONG_VERSION_NUMBER] errors

First problem was I had called out the server address in the [Remote] section of objectconfig.ini like so:

Code: Select all

ml_gateway=http://192.168.1.1:5000/api/v1
ml_fallback_local=yes
# API/password for remote gateway
ml_user=!ML_USER
ml_password=!ML_PASSWORD
calling the ml_gateway tried to serve up the self signed cert to 192.168.1.1 but conflicted with the cert I use externally which is set for my.domain.com. The trick was when I tried to enter the ml_gateway address manually into a browser, I got this warning ssl_error_rx_record_too_long and that eventually pointed me to the conflicting certs issue(I cant find the reference at the moment). It also did not fallback to ml_fallback_local=yes after failing for the cert.

My bad.

I commented out the ml_gateway entry and left ml_fallback_local and reran both commands, which appeared to complete successfully. The instructions on the mlapi github page implied mlapi could be used even if installed locally on the same machine as ZM and ZMES by filling out the [Remote] section correctly. But I filled it out wrong so it did not work.

So if leaving it at ml_fallback_local=yes works then I guess all is well, for now.

I am trying to get the server to respond locally to its own domain name in it's browser or terminal(with the intent on having it only serve one cert to everything) but it seems to stubbornly refuse anything other than it's ip address and 'localhost' even after messing with /etc/hosts and trying different port forwarding /nat rules. Ill figure that out next

Its odd this only tripped up MLAPI and not ZMES since they are being served the same self signed cert to the local ip address.

Both before and after this simple fix I ran into an interesting error when running the detection commands manually

Code: Select all

zmesdetect		4015	FAT	Unrecoverable error:You are using frame_types that require ZM indirection Traceback:Traceback (most recent call last): File "/var/lib/zmeventnotification/bin/zm_detect.py", line 557, in main_handler() File "/var/lib/zmeventnotification/bin/zm_detect.py", line 427, in main_handler matched_data,all_data = m.detect_stream(stream=stream, options=stream_options) File "/usr/local/lib/python3.9/dist-packages/pyzm/ml/detect_sequence.py", line 641, in detect_stream media = MediaStream(stream,'video', self.stream_options ) File "/usr/local/lib/python3.9/dist-packages/pyzm/helpers/Media.py", line 112, in __init__ raise ValueError ('You are using frame_types that require ZM indirection')ValueError: You are using frame_types that require ZM indirection	zm_detect.py	562
and

Code: Select all

zmesdetect		4015	ERR	You are using frame_types that require ZM indirection	Media.py	111
This was not as unrecoverable as it implied, object detection still happened and the error did not persist during normal object detection/normal operation. It might just be nothing but I couldn't figure out what it meant by "ZM indirection" by reading Media.py or zm_detect.py. I honestly cannot even come up with what 'frame_types require indirection' even starts to mean. But that hardly means much coming from me.

Thanks for hearing me out and pointing me in the right direction.
Magic919
Posts: 1381
Joined: Wed Sep 18, 2013 6:56 am

Re: mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Magic919 »

I’m fairly sure I have no idea what you are saying.

If you are happy and think it's working, that's good.
-
Farm_Server
Posts: 11
Joined: Wed Sep 02, 2020 1:37 pm

Re: mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Farm_Server »

Sorry I am being confusing. I hope I can clear it up better now as I think I have a good grasp of what my problem was.

I believe the core issue was due to my firewall, Opnsense, not allowing my server to resolve zoneminder by its domain name (mydomain.com/zm) because it can have aggressive security settings turned on by default. This forced me to set up a self signed cert for zoneminder, zmes, and mlapi locally with letsencrypt using the server's IP address (192.168.1.1/zm). This was not a problem with only zoneminder installed, I had set up an ssl cert from my webhost to use when any device besides the server wanted to access zoneminder via mydomain.com/zm.

from https://sslhow.com/ssl_error_rx_record_too_long/
Make sure we do not have more than one SSL certificate sharing the same IP. Please ensure that all SSL certificates utilise their own dedicated IP.
So because I had more than one ssl cert sharing the same ip this caused my issues. Strangely, the issue only occurred after installing mlapi, and not with zoneminder or zmes. I would assume this would have been a problem sooner.

After I found the cause of the problem I figured out what settings to change in opnsense to allow the server to access zoneminder via mydomain.com/zm, then changed all of zmes and mlapi's config.ini files over to use the mydomain.com cert and addresses and everything seems to have had a happy ending.
Magic919
Posts: 1381
Joined: Wed Sep 18, 2013 6:56 am

Re: mlapi trouble with misleading error [SSL: WRONG_VERSION_NUMBER]

Post by Magic919 »

How did you configure MLAPI to use a certificate?

Are you sure ZMES is actually using MLAPI?
-
Post Reply