On 11/05/14 20:04, Joel Sing wrote:
On Thu, 6 Nov 2014, Ted Unangst wrote:
I see errors trying to download some https URLs using python, but the
base ftp client isn't affected. 5.6 release and current. One example is
https://www.duosecurity.com/feed.
athens:/tmp> python2.7
Python 2.7.8 (default, Oct 6 2014, 13:51:42)
[GCC 4.2.1 20070719 ] on openbsd5
Type "help", "copyright", "credits" or "license" for more information.
import urllib
urllib.urlopen('https://www.duosecurity.com/feed')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/local/lib/python2.7/urllib.py", line 87, in urlopen
return opener.open(url)
File "/usr/local/lib/python2.7/urllib.py", line 208, in open
return getattr(self, name)(url)
File "/usr/local/lib/python2.7/urllib.py", line 437, in open_https
h.endheaders(data)
File "/usr/local/lib/python2.7/httplib.py", line 991, in endheaders
self._send_output(message_body)
File "/usr/local/lib/python2.7/httplib.py", line 844, in _send_output
self.send(msg)
File "/usr/local/lib/python2.7/httplib.py", line 806, in send
self.connect()
File "/usr/local/lib/python2.7/httplib.py", line 1198, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
File "/usr/local/lib/python2.7/ssl.py", line 392, in wrap_socket
ciphers=ciphers)
File "/usr/local/lib/python2.7/ssl.py", line 148, in __init__
self.do_handshake()
File "/usr/local/lib/python2.7/ssl.py", line 310, in do_handshake
self._sslobj.do_handshake()
IOError: [Errno socket error] [Errno 1] _ssl.c:510: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
The server requires SNI, which libtls/ftp(1) does. If you make s_client do SNI
it works:
$ openssl s_client -connect www.duosecurity.com:443 \
-servername www.duosecurity.com
So you'd need to make Python handle SNI if you want to talk to it... FWIW the
site is hosted on Amazon Cloudfront, so you'll probably see the same with any
other site that uses it.
athens:/tmp> ftp https://www.duosecurity.com/feed
Trying 54.192.22.134...
Requesting https://www.duosecurity.com/feed
118278 bytes received in 0.17 seconds (673.14 KB/s)
hmm. not documented at all.
I am not sure if this actually explains anything but it throws a few
names and acronyms around that can be used for further information.
--- /usr/share/man/man1/openssl.1 Fri Oct 31 17:43:53 2014
+++ openssl.1 Wed Nov 5 23:33:46 2014
@@ -6617,6 +6617,7 @@
.Op Fl psk_identity Ar identity
.Op Fl quiet
.Op Fl reconnect
+.Op Fl servername Ar host
.Op Fl showcerts
.Op Fl ssl3
.Op Fl starttls Ar protocol
@@ -6773,6 +6774,8 @@
.It Fl reconnect
Reconnects to the same server 5 times using the same session ID; this can
be used as a test that session caching is working.
+.It Fl servername Ar host
+Use specified host name as the Server Name Indicater (SNI)
.It Fl showcerts
Display the whole server certificate chain: normally only the server
certificate itself is displayed.