-
Notifications
You must be signed in to change notification settings - Fork 10.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSSL unsafe legacy renegotiation disabled error #5491
Comments
This is explicitly disabled in OpenSSL 3: https://www.openssl.org/docs/manmaster/man7/migration_guide.html We may need to add some new OP_* flags to support connecting to these outdated servers. |
@wRAR Can the downgrade of OpenSSL, pyopenssl ang cryprography help in this situation? |
You should downgrade pyOpenSSL to a version that ships 1.1, assuming it uses a bundled one in your environment (which I suspect it does). |
@wRAR looks like twisted does not support OP flasgs... |
You can usually access the underlying OpenSSL.SSL.Context object and call |
@wRAR fixed by downgrading cryptography to 36.0.2
Now pyOpenSSL uses OpenSSL 1.1.1n |
Right, it's |
I'm having the same problem when trying to scrape the Cisco website for security advisories. How can I downgrade cryptography to a specific version inside of the scrapy package ? |
It's not "inside of the scrapy package", it's in your Python environment. |
I've having the same problem with Government of Ireland websites. E.g.,
Comes back with the error,
Curl and various web browsers do fine with it. Downgrading Does anyone know how to determine exactly what these websites need to upgrade? I.e., if I were going to get in touch with the Government of Ireland webmaster, what would I say? It's not immediately obvious that the bug is not with |
If you are going to contact the website owner just point them to https://www.ssllabs.com/ssltest/ results for their website. I mean, if the task is "make it work with OpenSSL 3.0 clients" then the fix is to implement RFC 5746, but I'm not sure the website owner would really want to fix it, considering that the website works in browsers, and it may not be easy or even possible with the stack they are now using, looking at its other problems. And if the task is "make it more secure" then the more important problem is SSL3 not being disabled.
I agree it's not immediately obvious and some research would be needed. I did it earlier and linked the OpenSSL 3.0 changelog which explicitly lists things that are not supported anymore. |
I want to drop this relevant link here: Here is a very useful piece of code to circumvent the issue without downgrading:
|
(note that Scrapy doesn't use |
I ran into the same problem, and built a custom context factory to solve it. I hope it will be helpful for others: contextfactory.py (within MyProject folder)
within my_spider.py
|
This comment was marked as resolved.
This comment was marked as resolved.
this code works too. contextfactory.py from scrapy.core.downloader.contextfactory import ScrapyClientContextFactory
from cryptography.hazmat.bindings.openssl.binding import Binding
class LegacyConnectContextFactory(ScrapyClientContextFactory):
def getContext(self, hostname=None, port=None):
ctx = super(LegacyConnectContextFactory, self).getContext()
binding = Binding()
ctx.set_options(binding.lib.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
return ctx |
Description
I get an SSL issue on a working site
twisted.web._newclient.ResponseNeverReceived: [<twisted.python.failure.Failure OpenSSL.SSL.Error: [('SSL routines', '', 'unsafe legacy renegotiation disabled')]>]
Steps to Reproduce
scrapy shell https://dorotheum.com
Expected behavior: HTML page
Actual behavior: the error above
Reproduces how often: 100%
Versions
The text was updated successfully, but these errors were encountered: