SSLv3警报与urllib2握手失败 [英] SSLv3 alert handshake failure with urllib2

问题描述

在Python 2.7.10下使用urllib2与https连接时遇到麻烦.

I'm having troubles connecting with https using urllib2 under Python 2.7.10.

有什么想念我想念的吗?

Any thoughts what I'm missing?

Python 2.7.10 (default, Jun 18 2015, 10:53:24) 
[GCC 4.4.5] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl, urllib2
>>> ssl.HAS_SNI
True
>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8o 01 Jun 2010'
>>> opener = urllib2.build_opener()
>>> opener.open('https://twitrss.me/')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 1240, in https_open
    context=self._context)
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 1197, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)>

推荐答案

我能够在OS X 10.10.3上复制您的问题，该OS X 10.10.3的原始Python是使用OpenSSL 0.9.8zd构建的2.7.6.

I was able to duplicate your problem on OS X 10.10.3, whose stock Python is 2.7.6 built with OpenSSL 0.9.8zd.

问题是TLS中缺少服务器名称指示(SNI)扩展名twitrss.me网站显然要求进行握手:

The problem is the lack of the Server Name Indication (SNI) extension in the TLS handshake, which the twitrss.me site apparently requires:

服务器名称指示(SNI)是TLS计算机的扩展 客户端用来指示其主机名的网络协议 正在尝试在握手过程开始时连接到该计算机.

Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.

我通过使用OpenSSL编写一个小型C ++程序并插入OpenSSL调用来验证了这一点

I verified this by writing a small C++ program with OpenSSL, and inserting the OpenSSL call

SSL_set_tlsext_host_name(ssl, "twitrss.me");

允许成功连接，而忽略失败.我还查看了数据包转储，以验证在尝试使用Python进行连接时SNI是否丢失.

allows a successful connection while omitting it fails. I also looked at packet dumps to verify that SNI was missing when attempting connection using Python.

Python SSL模块显然在Python 2中可能需要解决方法.看来 PEP 0466 包含SNI并进入了Python 2.7.9，因此您应该拥有它，但是我不知道urllib2/urllib3是否在没有解决方法的情况下利用它.

The Python SSL module apparently supports SNI in Python 3 but may require a workaround in Python 2. It appears that PEP 0466 includes SNI and landed in Python 2.7.9, so you should have it, but I don't know if urllib2/urllib3 take advantage of that without the workaround.

这篇关于SSLv3警报与urllib2握手失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！