Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSLV3_ALERT_HANDSHAKE_FAILURE using ofxget for Vanguard #139

Closed
amandabot opened this issue Nov 7, 2021 · 5 comments
Closed

SSLV3_ALERT_HANDSHAKE_FAILURE using ofxget for Vanguard #139

amandabot opened this issue Nov 7, 2021 · 5 comments

Comments

@amandabot
Copy link

When I use ofxget, the script errors out with an SSL handshake failure.

Is this an issue with Vanguard, my setup, or something else?

Command I ran:
ofxget stmt vanguard -u <username> --all

Note: vanguard is coming from fi.cfg; I did not set up a configuration file.

Python Version: 3.10
OFX Tools Version: 0.9.4
OS: Windows 10

Stack Trace:

Traceback (most recent call last):
  File "C:\Programs\Python\Python310\lib\urllib\request.py", line 1348, in do_open   
    h.request(req.get_method(), req.selector, req.data, headers,
  File "C:\Programs\Python\Python310\lib\http\client.py", line 1276, in request      
    self._send_request(method, url, body, headers, encode_chunked)
  File "C:\Programs\Python\Python310\lib\http\client.py", line 1322, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "C:\Programs\Python\Python310\lib\http\client.py", line 1271, in endheaders   
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "C:\Programs\Python\Python310\lib\http\client.py", line 1031, in _send_output 
    self.send(msg)
  File "C:\Programs\Python\Python310\lib\http\client.py", line 969, in send
    self.connect()
  File "C:\Programs\Python\Python310\lib\http\client.py", line 1448, in connect      
    self.sock = self._context.wrap_socket(self.sock,
  File "C:\Programs\Python\Python310\lib\ssl.py", line 512, in wrap_socket
    return self.sslsocket_class._create(
  File "C:\Programs\Python\Python310\lib\ssl.py", line 1070, in _create
    self.do_handshake()
  File "C:\Programs\Python\Python310\lib\ssl.py", line 1341, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Programs\Python\Python310\Scripts\ofxget-script.py", line 33, in <module>
    sys.exit(load_entry_point('ofxtools==0.9.4', 'console_scripts', 'ofxget')())
  File "C:\Programs\Python\Python310\lib\site-packages\ofxtools\scripts\ofxget.py", line 1598, in main
    REQUEST_HANDLERS[args["request"]](args)
  File "C:\Programs\Python\Python310\lib\site-packages\ofxtools\scripts\ofxget.py", line 660, in request_stmt
    acctinfo = _request_acctinfo(args, password)
  File "C:\Programs\Python\Python310\lib\site-packages\ofxtools\scripts\ofxget.py", line 617, in _request_acctinfo
    with client.request_accounts(
  File "C:\Programs\Python\Python310\lib\site-packages\ofxtools\Client.py", line 593, in request_accounts
    RqCls2url = self._get_service_urls(
  File "C:\Programs\Python\Python310\lib\site-packages\ofxtools\Client.py", line 420, in _get_service_urls
    profile = self.request_profile(
  File "C:\Programs\Python\Python310\lib\site-packages\ofxtools\Client.py", line 492, in request_profile
    response = self._request_profile(
  File "C:\Programs\Python\Python310\lib\site-packages\ofxtools\Client.py", line 567, in _request_profile
    return self.download(
  File "C:\Programs\Python\Python310\lib\site-packages\ofxtools\Client.py", line 863, in download
    response = url_opener(req, **kwargs)
  File "C:\Programs\Python\Python310\lib\urllib\request.py", line 519, in open
    response = self._open(req, data)
  File "C:\Programs\Python\Python310\lib\urllib\request.py", line 536, in _open
    result = self._call_chain(self.handle_open, protocol, protocol +
  File "C:\Programs\Python\Python310\lib\urllib\request.py", line 496, in _call_chain
    result = func(*args)
  File "C:\Programs\Python\Python310\lib\urllib\request.py", line 1391, in https_open
    return self.do_open(http.client.HTTPSConnection, req,
  File "C:\Programs\Python\Python310\lib\urllib\request.py", line 1351, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)>
@csingley
Copy link
Owner

csingley commented Nov 8, 2021

I believe this isn't an ofxtools issue.

I'm not much of a web programmer, and even less of a Windows expert... but it sounds like your machine and Vanguard can't negotiate mutually acceptable parameters to set up a secure connection. Perhaps Vanguard has raised their minimum acceptable cipher algorithm to something higher than what your machine's implementation of SSL supports?

You can check this out:

https://www.ssllabs.com/ssltest/analyze.html?d=vesnc.vanguard.com&s=192.175.161.62&latest

Looks like Vanguard's server is on TLS version 1.2, using 2048-bit RSA for the key exchange, and a few versions of RSA/AES for the block cipher algorithm. Can your system match those requirements? I don't know quite what to tell you about this; I'd think SSL would be bundled into Windows and updated along with the OS. Is your OS up to date? I can't imagine Vanguard wouldn't support Windows 10 OS defaults for SSL.

Is there something funky about Python 3.10 usage of SSL? That's, like, brand-spanking-new, and I'm kind of afraid to use it yet.

I can tell you that I can currently log into Vanguard using ofxtools master on Python 3.9, using OpenSSL v1.1.1l (on Linux). The only thing I can think to tell you is to upgrade/downgrade SSL, or downgrade back to Python 3.9 and try that.

You might be able to get more help from somebody who knows more about it, because your problem isn't likely with code that I wrote & maintain. But let me know how it goes, because I am interested.

@csingley
Copy link
Owner

csingley commented Nov 8, 2021

Are you using pyopenssl ? Is it up to date?

@amandabot
Copy link
Author

amandabot commented Nov 9, 2021
edited
Loading

Thanks for the tips! Success!

I'm going to record the state of my system and the changes I made based on your suggestions in case someone else encounters this issue.

I am on the latest Windows 10.
I already had pyopenssl@21.0.0 installed.

I installed OpenSSL (for Windows) since it was mentioned here in the Python SSL docs.
I rolled back Python to 3.9.8.

It seems like Python 3.10 is the culprit; after getting it working with 3.9, I tried 3.10 again to see if it was OpenSSL that fixed things, but no dice.

@M1Sports20
Copy link

Although, a hack. I found this commit to fix this on the latest python.
aclindsa@8d0fccb

@jfly jfly mentioned this issue May 15, 2024
Open
@emin63
Copy link

emin63 commented Sep 10, 2024

@csingley : I got bitten by this issue connecting to Vanguard using python 3.10. I believe it is because Vanguard is using outdated SSL and python 3.10 tightened SSL requirements.

Do you plan to include the fixes in #139 (comment) in the main ofxtools repo? That approach would get my vote since I think this is going to be a blocker for all versions of python from 3.10 on (unless Vanguard fixes the issue on their end).

Of course, I can understand if you don't want to muck up your code because of Vanguard's stupidity. Another work around I found is to pin an older version of requests to 2.24.0 (e.g., with pip install requests==2.24.0).

Thanks again for ofxtools.

I believe this isn't an ofxtools issue.

I'm not much of a web programmer, and even less of a Windows expert... but it sounds like your machine and Vanguard can't negotiate mutually acceptable parameters to set up a secure connection. Perhaps Vanguard has raised their minimum acceptable cipher algorithm to something higher than what your machine's implementation of SSL supports?

You can check this out:

https://www.ssllabs.com/ssltest/analyze.html?d=vesnc.vanguard.com&s=192.175.161.62&latest

Looks like Vanguard's server is on TLS version 1.2, using 2048-bit RSA for the key exchange, and a few versions of RSA/AES for the block cipher algorithm. Can your system match those requirements? I don't know quite what to tell you about this; I'd think SSL would be bundled into Windows and updated along with the OS. Is your OS up to date? I can't imagine Vanguard wouldn't support Windows 10 OS defaults for SSL.

Is there something funky about Python 3.10 usage of SSL? That's, like, brand-spanking-new, and I'm kind of afraid to use it yet.

I can tell you that I can currently log into Vanguard using ofxtools master on Python 3.9, using OpenSSL v1.1.1l (on Linux). The only thing I can think to tell you is to upgrade/downgrade SSL, or downgrade back to Python 3.9 and try that.

You might be able to get more help from somebody who knows more about it, because your problem isn't likely with code that I wrote & maintain. But let me know how it goes, because I am interested.

dustinfarris added a commit to dustinfarris/ofxtools that referenced this issue Oct 6, 2024
@dustinfarris
hack: allow older SSL ciphers for Vanguard's OFX servers
a1d1ee1 
This is needed to support newer python/openssl that are stricter while
Vanguard is still using old ciphers.

Copied from aclindsa/ofxtools@8d0fccb

See: csingley#139
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@csingley @M1Sports20 @amandabot @emin63