Re: ssl handshake errors with python

Rusty Wed, 05 Nov 2014 23:42:07 -0800

On 11/05/14 20:04, Joel Sing wrote:

On Thu, 6 Nov 2014, Ted Unangst wrote:

I see errors trying to download some https URLs using python, but the
base ftp client isn't affected. 5.6 release and current. One example is
https://www.duosecurity.com/feed.


athens:/tmp> python2.7
Python 2.7.8 (default, Oct  6 2014, 13:51:42)
[GCC 4.2.1 20070719 ] on openbsd5
Type "help", "copyright", "credits" or "license" for more information.

import urllib
urllib.urlopen('https://www.duosecurity.com/feed')


Traceback (most recent call last):
   File "<stdin>", line 1, in <module>
   File "/usr/local/lib/python2.7/urllib.py", line 87, in urlopen
     return opener.open(url)
   File "/usr/local/lib/python2.7/urllib.py", line 208, in open
     return getattr(self, name)(url)
   File "/usr/local/lib/python2.7/urllib.py", line 437, in open_https
     h.endheaders(data)
   File "/usr/local/lib/python2.7/httplib.py", line 991, in endheaders
     self._send_output(message_body)
   File "/usr/local/lib/python2.7/httplib.py", line 844, in _send_output
     self.send(msg)
   File "/usr/local/lib/python2.7/httplib.py", line 806, in send
     self.connect()
   File "/usr/local/lib/python2.7/httplib.py", line 1198, in connect
     self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
   File "/usr/local/lib/python2.7/ssl.py", line 392, in wrap_socket
     ciphers=ciphers)
   File "/usr/local/lib/python2.7/ssl.py", line 148, in __init__
     self.do_handshake()
   File "/usr/local/lib/python2.7/ssl.py", line 310, in do_handshake
     self._sslobj.do_handshake()
IOError: [Errno socket error] [Errno 1] _ssl.c:510: error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure


The server requires SNI, which libtls/ftp(1) does. If you make s_client do SNI
it works:

$ openssl s_client -connect www.duosecurity.com:443 \
   -servername www.duosecurity.com

So you'd need to make Python handle SNI if you want to talk to it... FWIW the
site is hosted on Amazon Cloudfront, so you'll probably see the same with any
other site that uses it.

athens:/tmp> ftp https://www.duosecurity.com/feed
Trying 54.192.22.134...
Requesting https://www.duosecurity.com/feed
118278 bytes received in 0.17 seconds (673.14 KB/s)


hmm. not documented at all.

I am not sure if this actually explains anything but it throws a fewnames and acronyms around that can be used for further information.


--- /usr/share/man/man1/openssl.1       Fri Oct 31 17:43:53 2014
+++ openssl.1   Wed Nov  5 23:33:46 2014
@@ -6617,6 +6617,7 @@
 .Op Fl psk_identity Ar identity
 .Op Fl quiet
 .Op Fl reconnect
+.Op Fl servername Ar host
 .Op Fl showcerts
 .Op Fl ssl3
 .Op Fl starttls Ar protocol
@@ -6773,6 +6774,8 @@
 .It Fl reconnect
 Reconnects to the same server 5 times using the same session ID; this can
 be used as a test that session caching is working.
+.It Fl servername Ar host
+Use specified host name as the Server Name Indicater (SNI)
 .It Fl showcerts
 Display the whole server certificate chain: normally only the server
 certificate itself is displayed.

Re: ssl handshake errors with python

Reply via email to