Control: forwarded 907807 https://github.com/linkchecker/linkchecker/issues/188
Control: reassign 907807 python-requests 2.18.4-2
Control: affects 907807 linkchecker
On 2018-09-02 14:53:15, Vincent Bernat wrote:
> Hey!
>
> Since the upgrade to OpenSSL 1.1.1pre9 in sid, linkchecker is unable
> to check many sites including:
>
> - ones without SNI
> - ones with DH parameters too small
> - ones using TLS 1.0
> - ones still using SHA1 for the signature (get.adobe.com)
So I've forwarded the bug upstream to see if we can get a hint there. I
originally thought this was a 1.1 transition problem, but as it turns
out, linkchecker loads those sites fine in buster, which still has
1.1.0.
Any idea what is causing this? It seems to me a minor upgrade like this
shouldn't break third-party software...
I've found this in the release notes:
*) OpenSSL now fails if it receives an unrecognised record type in TLS1.0
or TLS1.1. Previously this only happened in SSLv3 and TLS1.2. This is to
prevent issues where no progress is being made and the peer continually
sends unrecognised record types, using up resources processing them.
[Matt Caswell]
This could explain case 3. But not the other ones. I wonder if the
problem wouldn't be in one of the upstream libraries. If I remember
correctly, linkchecker uses "requests" to do its dirty work. And indeed,
request fails on all three sites you mentioned:
>>> requests.get('https://get.adobe.com')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in
send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in
send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='get.adobe.com',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
u'[SSL: WRONG_SIGNATURE_TYPE] wrong signature type (_ssl.c:726)'),))
>>> requests.get('https://www.nada.kth.se')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in
send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in
send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='www.nada.kth.se',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
u'[SSL: DH_KEY_TOO_SMALL] dh key too small (_ssl.c:726)'),))
>>> requests.get('https://caniuse.com')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 72, in get
return request('get', url, params=params, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 508, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 618, in
send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 506, in
send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='caniuse.com',
port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1,
u'[SSL: VERSION_TOO_LOW] version too low (_ssl.c:726)'),))
So I have moved this to the python-requests package and will see if
there's an issue upstream to act on accordingly.
A.
--
What people say, what people do, and what they say they do are
entirely different things.
- Margaret Mead
