https sslv3 error 14077417: illegal parameter

[IanWetherbee]

BPO	11220
Nosy	@orsenthil, @pitrou

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2011-02-16.18:23:19.522>
created_at = <Date 2011-02-16.04:15:42.104>
labels = ['type-bug', 'library']
title = 'https sslv3 error 14077417: illegal parameter'
updated_at = <Date 2015-12-15.15:57:43.942>
user = 'https://bugs.python.org/IanWetherbee'

bugs.python.org fields:

activity = <Date 2015-12-15.15:57:43.942>
actor = 'haridsv'
assignee = 'none'
closed = True
closed_date = <Date 2011-02-16.18:23:19.522>
closer = 'Ian.Wetherbee'
components = ['Library (Lib)']
creation = <Date 2011-02-16.04:15:42.104>
creator = 'Ian.Wetherbee'
dependencies = []
files = []
hgrepos = []
issue_num = 11220
keywords = []
message_count = 8.0
messages = ['128626', '128632', '128633', '128635', '128651', '128684', '128686', '256462']
nosy_count = 4.0
nosy_names = ['orsenthil', 'pitrou', 'haridsv', 'Ian.Wetherbee']
pr_nums = []
priority = 'normal'
resolution = 'works for me'
stage = None
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue11220'
versions = ['Python 2.6', 'Python 3.1']

[IanWetherbee]

Certain https urls do not open using urllib2 (py2.6) and urllib(py3.1), but they open using the latest version of curl and firefox.

To reproduce:
>>> import urllib.request
>>> urllib.request.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
Traceback (most recent call last):
  File "/usr/lib64/python3.1/urllib/request.py", line 1072, in do_open
    h.request(req.get_method(), req.selector, req.data, headers)
  File "/usr/lib64/python3.1/http/client.py", line 932, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python3.1/http/client.py", line 970, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python3.1/http/client.py", line 928, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python3.1/http/client.py", line 782, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.1/http/client.py", line 723, in send
    self.connect()
  File "/usr/lib64/python3.1/http/client.py", line 1055, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
  File "/usr/lib64/python3.1/ssl.py", line 381, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/lib64/python3.1/ssl.py", line 135, in __init__
    raise x
  File "/usr/lib64/python3.1/ssl.py", line 131, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.1/ssl.py", line 327, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.1/urllib/request.py", line 121, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib64/python3.1/urllib/request.py", line 349, in open
    response = self._open(req, data)
  File "/usr/lib64/python3.1/urllib/request.py", line 367, in _open
    '_open', req)
  File "/usr/lib64/python3.1/urllib/request.py", line 327, in _call_chain
    result = func(*args)
  File "/usr/lib64/python3.1/urllib/request.py", line 1098, in https_open
    return self.do_open(http.client.HTTPSConnection, req)
  File "/usr/lib64/python3.1/urllib/request.py", line 1075, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter>

Curl request:
$ curl https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="https://apps.uillinois.edu/selfservice/error/"\>here\</A>.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server Server at ui2web1a.admin.uillinois.edu Port 443</ADDRESS>
</BODY></HTML>

[orsenthil]

curl (7.21.0) fails with the same error message too for the target website. (Is the server doing anything different. For other HTTPS sites (which also use redirection) urllib.request works fine )

senthil@ubuntu:~/python/py3k$ curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse

• About to connect() to ui2web1.apps.uillinois.edu port 443 (#0)
• Trying 64.22.183.24... connected
• Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0)
• successfully set certificate verify locations:
• CAfile: none
  CApath: /etc/ssl/certs
• SSLv3, TLS handshake, Client hello (1):
• error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
• Closing connection #0
  curl: (35) error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter

[IanWetherbee]

The server seems to be sending a bad TLS handshake, so curl falls back on SSLv3 with TLS disabled.

curl 7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse

• About to connect() to ui2web1.apps.uillinois.edu port 443 (#0)
• Trying 64.22.183.24... connected
• Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0)
• Initializing NSS with certpath: /etc/pki/nssdb
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
• NSS error -12226
• Error in TLS handshake, trying SSLv3...

GET /BANPROD1/bwskfcls.P_GetCrse HTTP/1.1
User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
Host: ui2web1.apps.uillinois.edu
Accept: */*

• Connection died, retrying a fresh connect
• Closing connection #0
• Issue another request to this URL: 'https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse'
• About to connect() to ui2web1.apps.uillinois.edu port 443 (#0)
• Trying 64.22.183.24... connected
• Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0)
• TLS disabled due to previous handshake failure
• CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
• SSL connection using SSL_RSA_WITH_RC4_128_MD5
• Server certificate:
• subject: CN=ui2web1.apps.uillinois.edu,OU=AITS 20100517-25690,O=University of Illinois,L=Urbana,ST=Illinois,C=US
• start date: May 17 00:00:00 2010 GMT
• expire date: May 17 23:59:59 2011 GMT
• common name: ui2web1.apps.uillinois.edu
• issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA

GET /BANPROD1/bwskfcls.P_GetCrse HTTP/1.1
User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
Host: ui2web1.apps.uillinois.edu
Accept: */*

< HTTP/1.1 302 Found
< Date: Wed, 16 Feb 2011 07:49:43 GMT
< Server: Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server
< Location: https://apps.uillinois.edu/selfservice/error/
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="https://apps.uillinois.edu/selfservice/error/"\>here\</A>.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server Server at ui2web1b.admin.uillinois.edu Port 443</ADDRESS>
</BODY></HTML>

• Closing connection #0

[orsenthil]

The problem is the server strictly accepts SSLv3 only and urllib and http.client send SSLv23 protocol.

(In http/client.py, line 1077)
if context is None:
# Some reasonable defaults
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.options |= ssl.OP_NO_SSLv2
will_verify = context.verify_mode != ssl.CERT_NONE

However, in order to use only SSLv3, one can set the context to ssl.PROTOCOL_SSLv3 in the HTTPSHandler and use it.

import urllib.request
import ssl
https_sslv3_handler = urllib.request.HTTPSHandler(context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))
opener = urllib.request.build_opener(https_sslv3_handler)
urllib.request.install_opener(opener)
urllib.request.urlopen('https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse')

[pitrou]

I get an error using the following curl too:

curl 7.20.1 (x86_64-mandriva-linux-gnu) libcurl/7.20.1 OpenSSL/1.0.0a zlib/1.2.3 libidn/1.18 libssh2/1.2.5
Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

The same URL sends wget into a loop:

$ LANG=C wget -v -O - https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
--2011-02-16 12:01:39--  https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
Resolving ui2web1.apps.uillinois.edu... 64.22.183.24
Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

--2011-02-16 12:01:40-- (try: 2) https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

--2011-02-16 12:01:43-- (try: 3) https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

IMO, this all points to the remote server being poorly compliant. Senthil's solution seems good enough here.

[IanWetherbee]

Any solution for 2.x? I'm using this with twisted.

[IanWetherbee]

This works for 2.x, I'm closing this issue:

# custom HTTPS opener, banner's oracle 10g server supports SSLv3 only
import httplib, ssl, urllib2, socket
class HTTPSConnectionV3(httplib.HTTPSConnection):
    def __init__(self, *args, **kwargs):
        httplib.HTTPSConnection.__init__(self, *args, **kwargs)
        
    def connect(self):
        sock = socket.create_connection((self.host, self.port), self.timeout)
        if self._tunnel_host:
            self.sock = sock
            self._tunnel()
        try:
            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
        except ssl.SSLError, e:
            print("Trying SSLv3.")
            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
            
class HTTPSHandlerV3(urllib2.HTTPSHandler):
    def https_open(self, req):
        return self.do_open(HTTPSConnectionV3, req)
# install opener
urllib2.install_opener(urllib2.build_opener(HTTPSHandlerV3()))

if __name__ == "__main__":
    r = urllib2.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
    print(r.read())

[haridsv]

Interesting... the posted Python code for 2.x didn't work for me on 2.6.9 on Mac OS X (10.10.5). The code in catch block further generates the below exception:

Traceback (most recent call last):
  File "/tmp/t.py", line 17, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
  File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 338, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 120, in __init__
    self.do_handshake()
  File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 279, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:493: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Is there another workaround that is known to work with this version of Python?