Geek Answers Handbook

Intermittent "sslv3 handshake rejection" under Python

I have a REST API written in Java under JBoss. We recently upgraded our JVM from 1.6 to 1.7. This started to cause problems only with our Python clients that were connecting. With interruptions, Python clients get handshake failures. We wrote a very simple test that reproduces the problem:

import httplib2 for i in range(1,500): print i response, content = httplib2.Http(disable_ssl_certificate_validation=True).request('https://server.com:8443',)

Enter the following result:

 . . . 64 65 66 67 Traceback (most recent call last): File "api_test/test.py", line 6, in <module> response, content = httplib2.Http(disable_ssl_certificate_validation=True).request('https://server.com:8443/rest/solidtumor/2012/id/50d3216c092c8554b8b9f384?glossary=true&api_key=APIKEY',) File "/home/hostovic/api_test/httplib2/__init__.py", line 1445, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "/home/hostovic/api_test/httplib2/__init__.py", line 1197, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/home/hostovic/api_test/httplib2/__init__.py", line 1133, in _conn_request conn.connect() File "/home/hostovic/api_test/httplib2/__init__.py", line 914, in connect raise SSLHandshakeError(e) httplib2.SSLHandshakeError: [Errno 1] _ssl.c:490: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

The 67th call failed during this passage, but it fails at different times each time the test is run.

Our other clients (Java, Groovy and Ruby) work without problems.

If I switch the JVM back to 1.6, stops will stop.

I did an openssl check using:

 openssl s_client -connect server.com:8443

and he returned it:

 New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : EDH-RSA-DES-CBC3-SHA Session-ID: 50E748EA341BB433EEBC7386C606313C2B8B86360ED71DC8F3B0A14A1579D91B Session-ID-ctx: Master-Key: 1007AC489D60FE2D818F71A5A6873D5BBF5B1770BEC31CDBF29D0562DB0D30A33D9EBBA8AD211B8E24B23494B20A6223 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1357334762 Timeout : 300 (sec) Verify return code: 0 (ok)

Which seems right, but I'm not sure. If it did not succeed with every call, it would be one thing, but it is really strange if it were not for random times. Has anyone seen this?

+7
source share
2 answers

I am experiencing the same intermittent error when connecting to Tomcat 7 (Java 1.7) with Python 2.6.

I first started experiencing a problem when I upgraded my JVM from 1.7u1 to 1.7u6. From this article, it appears that the order of encryption preferences has changed in Java:

Java 7 and failed to create DH keypair

Prior to the JVM update, SSL_RSA_WITH_3DES_EDE_CBC_SHA was the preferred cipher used for SSL communications. After the upgrade, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA takes preference. 95% of the time, SSL is OK. But in 5% of cases, it fails, as you described.

Python seems to have problems with the Diffie-Hellman ciphers. There is a fix in Python 3.3:

http://bugs.python.org/issue13626

My real workaround is to remove the Diffie-Hellman cipher from my activated ciphers in Tomcat. I have not tried switching to Python 3.3.

+5
source

I have the same problem after upgrading from Java 6 to Java 7.

I debugged this error a bit and it turned out to be an error in implementing DHE encryption sets in Java 7: approximately 0.5% of SSL handshakes for DHE encryption sets fail. (This is not Python related, and the error can be reproduced, for example, using the "openssl" command-line tool.)

I reported an error for Oracle, see http://mail.openjdk.java.net/pipermail/security-dev/2013-May/007435.html . Meanwhile, the only workaround is to disable DHE encryption kits (on both ends).

0
source

More articles:


All Articles