Control: forwarded 907807 https://github.com/linkchecker/linkchecker/issues/188 Control: reassign 907807 python-requests 2.18.4-2 Control: affects 907807 linkchecker
On 2018-09-02 14:53:15, Vincent Bernat wrote: > Hey! > > Since the upgrade to OpenSSL 1.1.1pre9 in sid, linkchecker is unable > to check many sites including: > > - ones without SNI > - ones with DH parameters too small > - ones using TLS 1.0 > - ones still using SHA1 for the signature (get.adobe.com) So I've forwarded the bug upstream to see if we can get a hint there. I originally thought this was a 1.1 transition problem, but as it turns out, linkchecker loads those sites fine in buster, which still has 1.1.0. Any idea what is causing this? It seems to me a minor upgrade like this shouldn't break third-party software... I've found this in the release notes: *) OpenSSL now fails if it receives an unrecognised record type in TLS1.0 or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to prevent issues where no progress is being made and the peer continually sends unrecognised record types, using up resources processing them. [Matt Caswell] This could explain case 3. But not the other ones. I wonder if the problem wouldn't be in one of the upstream libraries. If I remember correctly, linkchecker uses "requests" to do its dirty work. And indeed, request fails on all three sites you mentioned: >>> requests.get('https://get.adobe.com') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='get.adobe.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:726)'),)) >>> requests.get('https://www.nada.kth.se') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='www.nada.kth.se', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:726)'),)) >>> requests.get('https://caniuse.com') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get return request('get', url, params=params, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request return session.request(method=method, url=url, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in request resp = self.send(prep, **send_kwargs) File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in send raise SSLError(e, request=request) requests.exceptions.SSLError: HTTPSConnectionPool(host='caniuse.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, u'[SSL: VERSION_TOO_LOW] version too low (_ssl.c:726)'),)) So I have moved this to the python-requests package and will see if there's an issue upstream to act on accordingly. A. -- What people say, what people do, and what they say they do are entirely different things. - Margaret Mead