Geek Answers Handbook

SSLv3 crashes authorization error with urllib2

I'm having trouble connecting https using urllib2 under Python 2.7.10.

Any thoughts what I am missing?

Python 2.7.10 (default, Jun 18 2015, 10:53:24) [GCC 4.4.5] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import ssl, urllib2 >>> ssl.HAS_SNI True >>> ssl.OPENSSL_VERSION 'OpenSSL 0.9.8o 01 Jun 2010' >>> opener = urllib2.build_opener() >>> opener.open('https://twitrss.me/') Traceback (most recent call last): File "<stdin>", line 1, in <module> File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 431, in open response = self._open(req, data) File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 449, in _open '_open', req) File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 409, in _call_chain result = func(*args) File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 1240, in https_open context=self._context) File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 1197, in do_open raise URLError(err) urllib2.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)>
+5
source share
1 answer

I was able to duplicate your problem on OS X 10.10.3, whose Python margin is 2.7.6 with OpenSSL 0.9.8zd.

The problem is the lack of the Server Name Indicication (SNI) extension in the TLS message, which the site twitrss.me apparently requires

Server Name Indication (SNI) is an extension to the TLS computer network protocol by which the client indicates which host name is trying to connect to the beginning of the connection process.

I checked this by writing a small C ++ program with OpenSSL and inserting an OpenSSL call

 SSL_set_tlsext_host_name(ssl, "twitrss.me");

Allows remote connection in the absence of failures. I also looked at package dumps to make sure that SNI was missing when trying to connect using Python.

The Python SSL module seems to support SNI in Python 3 , but a workaround in Python 2 may be required . It seems that PEP 0466 includes SNI and landed in Python 2.7.9, so you should have it, but I don't know if urllib2/urllib3 use this without a workaround.

+2
source

More articles:


All Articles