New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
https sslv3 error 14077417: illegal parameter #55429
Comments
Certain https urls do not open using urllib2 (py2.6) and urllib(py3.1), but they open using the latest version of curl and firefox. To reproduce:
>>> import urllib.request
>>> urllib.request.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
Traceback (most recent call last):
File "/usr/lib64/python3.1/urllib/request.py", line 1072, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "/usr/lib64/python3.1/http/client.py", line 932, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python3.1/http/client.py", line 970, in _send_request
self.endheaders(body)
File "/usr/lib64/python3.1/http/client.py", line 928, in endheaders
self._send_output(message_body)
File "/usr/lib64/python3.1/http/client.py", line 782, in _send_output
self.send(msg)
File "/usr/lib64/python3.1/http/client.py", line 723, in send
self.connect()
File "/usr/lib64/python3.1/http/client.py", line 1055, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
File "/usr/lib64/python3.1/ssl.py", line 381, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "/usr/lib64/python3.1/ssl.py", line 135, in __init__
raise x
File "/usr/lib64/python3.1/ssl.py", line 131, in __init__
self.do_handshake()
File "/usr/lib64/python3.1/ssl.py", line 327, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.1/urllib/request.py", line 121, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib64/python3.1/urllib/request.py", line 349, in open
response = self._open(req, data)
File "/usr/lib64/python3.1/urllib/request.py", line 367, in _open
'_open', req)
File "/usr/lib64/python3.1/urllib/request.py", line 327, in _call_chain
result = func(*args)
File "/usr/lib64/python3.1/urllib/request.py", line 1098, in https_open
return self.do_open(http.client.HTTPSConnection, req)
File "/usr/lib64/python3.1/urllib/request.py", line 1075, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter> Curl request: |
curl (7.21.0) fails with the same error message too for the target website. (Is the server doing anything different. For other HTTPS sites (which also use redirection) urllib.request works fine ) senthil@ubuntu:~/python/py3k$ curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
|
The server seems to be sending a bad TLS handshake, so curl falls back on SSLv3 with TLS disabled. curl 7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4 curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
< HTTP/1.1 302 Found
|
The problem is the server strictly accepts SSLv3 only and urllib and http.client send SSLv23 protocol. (In http/client.py, line 1077) However, in order to use only SSLv3, one can set the context to ssl.PROTOCOL_SSLv3 in the HTTPSHandler and use it. import urllib.request
import ssl
https_sslv3_handler = urllib.request.HTTPSHandler(context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))
opener = urllib.request.build_opener(https_sslv3_handler)
urllib.request.install_opener(opener)
urllib.request.urlopen('https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse') |
I get an error using the following curl too: curl 7.20.1 (x86_64-mandriva-linux-gnu) libcurl/7.20.1 OpenSSL/1.0.0a zlib/1.2.3 libidn/1.18 libssh2/1.2.5 The same URL sends wget into a loop: $ LANG=C wget -v -O - https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
--2011-02-16 12:01:39-- https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
Resolving ui2web1.apps.uillinois.edu... 64.22.183.24
Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying. --2011-02-16 12:01:40-- (try: 2) https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse --2011-02-16 12:01:43-- (try: 3) https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse IMO, this all points to the remote server being poorly compliant. Senthil's solution seems good enough here. |
Any solution for 2.x? I'm using this with twisted. |
This works for 2.x, I'm closing this issue: # custom HTTPS opener, banner's oracle 10g server supports SSLv3 only
import httplib, ssl, urllib2, socket
class HTTPSConnectionV3(httplib.HTTPSConnection):
def __init__(self, *args, **kwargs):
httplib.HTTPSConnection.__init__(self, *args, **kwargs)
def connect(self):
sock = socket.create_connection((self.host, self.port), self.timeout)
if self._tunnel_host:
self.sock = sock
self._tunnel()
try:
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
except ssl.SSLError, e:
print("Trying SSLv3.")
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
class HTTPSHandlerV3(urllib2.HTTPSHandler):
def https_open(self, req):
return self.do_open(HTTPSConnectionV3, req)
# install opener
urllib2.install_opener(urllib2.build_opener(HTTPSHandlerV3()))
if __name__ == "__main__":
r = urllib2.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
print(r.read()) |
Interesting... the posted Python code for 2.x didn't work for me on 2.6.9 on Mac OS X (10.10.5). The code in catch block further generates the below exception: Traceback (most recent call last):
File "/tmp/t.py", line 17, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 338, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 120, in __init__
self.do_handshake()
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 279, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:493: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol Is there another workaround that is known to work with this version of Python? |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: