Python SSLError, sslv3 alert handshake failure, fo

2019-03-01 12:07发布

站内问答 / Python
566 2 4

Python Version: 3.5.2

OS: OS X 10.12

OpenSSL Version: OpenSSL 1.1.0b 26 Sep 2016

I'm trying to requests "https://alpha.wallhaven.cc".

import urllib.request
init_page=urllib.request.urlopen("https://alpha.wallhaven.cc")

Then get

ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:645)

and

During handling of the above exception, another exception occurred:
...
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:645)>

The following solutions don't work:

import requests.packages.urllib3.util.ssl_
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS='ALL'

import ssl
ssl._create_default_https_context = ssl._create_unverified_context

import requests
print(requests.get("https://alpha.wallhaven.cc",verify=False))

or change /APNSWrapper/connection.py line 131:

ssl_version = self.ssl_module.PROTOCOL_SSLv3,

into

ssl_version = self.ssl_module.PROTOCOL_TLSv1,

Then what is the problem? How to solve it? Thanks a lot!

2条回答
SAY GOODBYE
2楼-- · 2019-03-01 12:51

The following solutions don't work ...
print(requests.get("https://alpha.wallhaven.cc",verify=False))

You should probably avoid that verify=False thing.

Here's what works from the OpenSSL point of view. Be sure you are doing three things in your Python code:

  • Using Server Name Indication (-servername below)
  • Using TLS 1.0 or above (-tls1 below)
  • Using "AddTrust External CA Root" (-CAfile below)

You can find the "AddTrust External CA Root" at Comodo's [Root] AddTrust External CA Root. Its already in PEM format.

Below is from OpenSSL's s_client. It completes as expected: Verify return code: 0 (ok).

$ openssl s_client -connect alpha.wallhaven.cc:443 -servername alpha.wallhaven.cc -tls1 -CAfile addtrustexternalcaroot.crt 
CONNECTED(00000005)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Certification Authority
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO ECC Domain Validation Secure Server CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = sni142395.cloudflaressl.com
verify return:1
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni142395.cloudflaressl.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHJzCCBs2gAwIBAgIRANivubFmbH0XdX2fZFAo82kwCgYIKoZIzj0EAwIwgZIx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNV
BAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMTgwNgYDVQQD
Ey9DT01PRE8gRUNDIERvbWFpbiBWYWxpZGF0aW9uIFNlY3VyZSBTZXJ2ZXIgQ0Eg
MjAeFw0xNjEwMTIwMDAwMDBaFw0xNzA0MTYyMzU5NTlaMGwxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEhMB8GA1UECxMYUG9zaXRpdmVTU0wgTXVs
dGktRG9tYWluMSQwIgYDVQQDExtzbmkxNDIzOTUuY2xvdWRmbGFyZXNzbC5jb20w
WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAASX5NtMc+UpLkSrMFfo482pkybz201a
CYinLcDPWtn3YRGXa4nt42PsnXMVjUP8kfkKs3vWc/bklx9oTNREl/Oao4IFJzCC
BSMwHwYDVR0jBBgwFoAUQAlhZ/C8g3FP3hIILG/U1Ct2PZYwHQYDVR0OBBYEFFCr
l1Hj4n4NQTjpP3eg2cNhUMkBMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAA
MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBPBgNVHSAESDBGMDoGCysG
AQQBsjEBAgIHMCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5j
b20vQ1BTMAgGBmeBDAECATBWBgNVHR8ETzBNMEugSaBHhkVodHRwOi8vY3JsLmNv
bW9kb2NhNC5jb20vQ09NT0RPRUNDRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZl
ckNBMi5jcmwwgYgGCCsGAQUFBwEBBHwwejBRBggrBgEFBQcwAoZFaHR0cDovL2Ny
dC5jb21vZG9jYTQuY29tL0NPTU9ET0VDQ0RvbWFpblZhbGlkYXRpb25TZWN1cmVT
ZXJ2ZXJDQTIuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC5jb21vZG9jYTQu
Y29tMIIDbgYDVR0RBIIDZTCCA2GCG3NuaTE0MjM5NS5jbG91ZGZsYXJlc3NsLmNv
bYINKi4zYmJvb2t5eC50a4INKi42ZmJvb2t4bi50a4IJKi45eDloLnRrgg8qLmFz
aWFwcmljZS54eXqCECouYmVzdGJvb2t6amMudGuCECouYmVzdGJvb2t6bHgudGuC
ECouYmVzdGJvb2t6b24udGuCDiouYnVybmFtYW4ueHl6ghAqLmVhdG1lM2QuY29t
LmF1gg0qLmV0Ym9va3p1LnRrghIqLmZvb2Rza2VwdGljcy5jb22CGyouZ2VtaW50
ZXJuZXRwYXlkYXlsb2FuLnRvcIINKi5oYWJvb2thNC50a4INKi5pYm9va3ozMi50
a4INKi5pYm9va3o4by50a4INKi5pYm9va3phMy50a4INKi5pYm9va3ppcy50a4IN
Ki5pYm9va3psai50a4INKi5pYm9va3pwOS50a4INKi5pYm9va3p3YS50a4INKi5p
cWJvb2t0ZC50a4INKi5qZGJvb2tyeC50a4IIKi5tNXUuZGWCDSouc21ib29rdjMu
dGuCGCoudXBxdWlja21vbmV5b25saW5lLnRvcIIQKi52aXBlcmNpZy5jby51a4IO
Ki53YWxsaGF2ZW4uY2OCCzNiYm9va3l4LnRrggs2ZmJvb2t4bi50a4IHOXg5aC50
a4INYXNpYXByaWNlLnh5eoIOYmVzdGJvb2t6amMudGuCDmJlc3Rib29remx4LnRr
gg5iZXN0Ym9va3pvbi50a4IMYnVybmFtYW4ueHl6gg5lYXRtZTNkLmNvbS5hdYIL
ZXRib29renUudGuCEGZvb2Rza2VwdGljcy5jb22CGWdlbWludGVybmV0cGF5ZGF5
bG9hbi50b3CCC2hhYm9va2E0LnRrggtpYm9va3ozMi50a4ILaWJvb2t6OG8udGuC
C2lib29remEzLnRrggtpYm9va3ppcy50a4ILaWJvb2t6bGoudGuCC2lib29renA5
LnRrggtpYm9va3p3YS50a4ILaXFib29rdGQudGuCC2pkYm9va3J4LnRrggZtNXUu
ZGWCC3NtYm9va3YzLnRrghZ1cHF1aWNrbW9uZXlvbmxpbmUudG9wgg52aXBlcmNp
Zy5jby51a4IMd2FsbGhhdmVuLmNjMAoGCCqGSM49BAMCA0gAMEUCIQDZDdOmPxr5
ZImuHhD05P6pxqhBzaYT5gpimwiwRaTH/gIgfONp6ajv3h7J7Yy5Y56s1MkKIrTG
90DdHE0ewI40258=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=sni142395.cloudflaressl.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2
---
No client certificate CA names sent
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4263 bytes and written 263 bytes
Verification: OK
---
New, SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-ECDSA-AES128-SHA
    Session-ID: B3D3918537F17225CC5CEFAC956D1CA633EBD1AC0F5FF431B27BADCEA8D768BB
    Session-ID-ctx: 
    Master-Key: 3484745B4C605ED65273BC86C58514EF8DD32B7847D7FA188093BBE9192451218E5FA4F3DF11D6CEEA648AFA6FE65CE6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 64800 (seconds)
    TLS session ticket:
    0000 - c9 ea 35 99 eb cc 0d 9b-57 14 76 91 e1 54 eb 98   ..5.....W.v..T..
    0010 - d4 39 86 bc f3 84 ea 86-16 8d 08 d2 e6 ef 0c 02   .9..............
    0020 - 07 ec cf f7 41 43 9f 7d-5a 3f 92 37 50 28 0a 53   ....AC.}Z?.7P(.S
    0030 - 70 0b 91 cf 66 1e db f5-aa 34 1a f3 59 8e bd da   p...f....4..Y...
    0040 - f5 38 e6 7d 23 9c b5 78-36 92 a9 8e 92 97 09 ec   .8.}#..x6.......
    0050 - bd 7e 39 37 58 59 d2 88-fb 1e 2e c9 02 d7 11 3b   .~97XY.........;
    0060 - 80 01 4b c3 f7 a7 4b 33-4b 2b 0d b0 3f f8 bc 3e   ..K...K3K+..?..>
    0070 - 9f 61 ff dd da 42 ee 06-dd 17 69 5c 08 c0 75 7b   .a...B....i\..u{
    0080 - ac bf 08 22 0b fe 64 b8-19 a0 04 08 07 67 3a bc   ..."..d......g:.
    0090 - 27 24 16 83 87 c3 a2 46-72 e1 fa 96 78 92 36 71   '$.....Fr...x.6q
    00a0 - 58 ab 00 eb d8 b1 b8 e2-6e e2 4e 30 f3 1a 2d 6a   X.......n.N0..-j
    00b0 - 38 7e 29 75 83 d7 45 26-e3 70 0a bf ed 51 a4 1c   8~)u..E&.p...Q..

    Start Time: 1477471636
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no

$ openssl version
OpenSSL 1.1.0b  26 Sep 2016
查看更多
0人赞 添加讨论(0) 举报
兄弟一词,经得起流年.
3楼-- · 2019-03-01 12:55

OpenSSL Version: OpenSSL 1.1.0b 26 Sep 2016 ... sslv3 alert handshake failure (_ssl.c:645)>

I do not doubt that you have OpenSSL 1.1.0b installed on your system but I doubt that this version is actually used by your python. Usually MacOS has the old version 0.9.8 of OpenSSL installed and unless one compiles python to use another openssl this version will be used, even if other OpenSSL versions are installed somewhere on the system. To check what version of OpenSSL is used by your python:

  import ssl
  print(ssl.OPENSSL_VERSION)

If this shows OpenSSL 1.1.0b... I'm wrong in my assumption but if this shows 0.9.8 I'm right with the following argumentation:

  • handshake failure indicates a problem which is not related to certificate validation.
  • Looking at the SSLLabs report I can see that the server only suppors ECDHE ciphers.
  • ECDHE ciphers are not support by OpenSSL version 0.9.8
  • therefore there are no shared ciphers between client and server and the handshake fails
查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)