python3和请求:仍然出现"sslv3警报握手失败" [英] python3 and requests: still getting 'sslv3 alert handshake failure'
问题描述
我一直在尝试使用requests
在Python 3中执行HTTPS请求,并汇总了StackOverflow上记录的先前尝试中的几乎所有知识.我一生似乎无法摆脱sslv3 alert handshake failure
兔子洞.
I have been trying to perform an HTTPS request in Python 3 using requests
and aggregating pretty much all the knowledge from the prior attempts documented on StackOverflow. I cannot for the life of me seem to get out of the sslv3 alert handshake failure
rabbit hole.
这是我的环境:
- macOS 10.13.6
- Python 3.7.0(通过Homebrew与openssl一起安装)
- OpenSSL 1.0.2p 2018年8月14日(
print(ssl.OPENSSL_VERSION)
的输出)
通过 - 请求2.19.1(
print(requests.__version__)
的输出) - 已安装平均密码2.3.1
pip install requests[security]
安装的- macOS 10.13.6
- Python 3.7.0 (installed via Homebrew along with openssl)
- OpenSSL 1.0.2p 14 Aug 2018 (output of
print(ssl.OPENSSL_VERSION)
) - requests 2.19.1 (output of
print(requests.__version__)
) installed viapip install requests[security]
- even cryptography 2.3.1 is installed
这是失败的原始代码:
>>> import requests
>>> requests.get('https://iris.nuigalway.ie')
这是输出:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/urllib3-1.23-py3.7.egg/urllib3/contrib/pyopenssl.py", line 444, in wrap_socket
cnx.do_handshake()
File "/usr/local/lib/python3.7/site-packages/pyOpenSSL-18.0.0-py3.7.egg/OpenSSL/SSL.py", line 1907, in do_handshake
self._raise_ssl_error(self._ssl, result)
File "/usr/local/lib/python3.7/site-packages/pyOpenSSL-18.0.0-py3.7.egg/OpenSSL/SSL.py", line 1639, in _raise_ssl_error
_raise_current_error()
File "/usr/local/lib/python3.7/site-packages/pyOpenSSL-18.0.0-py3.7.egg/OpenSSL/_util.py", line 54, in exception_from_error_queue
raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert handshake failure')]
不用说它可与cURL,浏览器等配合使用.
Needless to say it works with cURL, browsers etc.
curl --verbose "https://iris.nuigalway.ie"
以下是输出的握手摘要:
Here's a handshake snippet of the ouput:
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (IN), TLS handshake, Server finished (14):
* TLSv1.0 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.0 (OUT), TLS change cipher, Client hello (1):
* TLSv1.0 (OUT), TLS handshake, Finished (20):
* TLSv1.0 (IN), TLS change cipher, Client hello (1):
* TLSv1.0 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.0 / DES-CBC3-SHA
* ALPN, server did not agree to a protocol
根据 https://github.com/urllib3/urllib3/blob/1.23/urllib3/util/ssl_.py
所以我尝试使用 https://stackoverflow.com/a/40741362 中给出的建议添加它,如下所示:
So I tried adding it using the advice given at https://stackoverflow.com/a/40741362 like this:
>>> requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += 'DES-CBC3-SHA'
,甚至将其设置为ALL
.我什至试图不验证证书,但无济于事.
and even setting it to ALL
. I even tried not to verify the certificate, all to no avail.
>>> requests.get('https://iris.nuigalway.ie', verify=False)
通过服务器上的s_client
进行检查:
A check with s_client
on the server:
$ openssl s_client -connect iris.nuigalway.ie:443
显示以下TLS版本和密码:
reveals the following TLS version and cipher:
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
我可能还没有尝试过哪些选项?
What options could I possibly have not tried yet?
非常感谢
更新
ssl.OPENSSL_VERSION
OpenSSL.SSL.SSLeay_version(0)
的值显示了ssl
和pyOpenSSL
分别使用的两个不同版本的OpenSSL,后者是较新的OpenSSL 1.1.0i 14 Aug 2018
,最有可能放弃了对DES-CBC3-SHA
密码的支持
The values of ssl.OPENSSL_VERSION
OpenSSL.SSL.SSLeay_version(0)
revealed two different versions of OpenSSL used by ssl
and pyOpenSSL
respectively, the latter being a more recent OpenSSL 1.1.0i 14 Aug 2018
that has most likely dropped support for the DES-CBC3-SHA
cipher.
以下是我采用的临时解决方案:
Below is the temporary solution I have adopted:
- 卸载
cryptography
- 仅注入所需的密码,如下所示:
(请注意,它不再是串联的)
(Note that it is no longer a concatenation)
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'DES-CBC3-SHA'
我知道该解决方案可能不是最佳选择,并且不适用于许多情况,但是至少吸取的教训是,从一个软件包到另一个软件包,可能正在使用不同版本的OpenSSL.
I appreciate that this solution may be sub-optimal and not applicable to many cases, but at least the lesson learnt is that different versions of OpenSSL may be at play from one package to another.
如果有更灵活的解决方案,我将很高兴.
I will be happy to know of a more flexible solution if any.
推荐答案
服务器似乎真的坏了.如果仅将DES-CBC3-SHA
添加到密码列表中,它将无法正常工作,可能是因为服务器崩溃了,原因是客户端提供了服务器不知道的密码,或者是因为密码太多.
The server seems to be really broken. If you just add DES-CBC3-SHA
to the list of ciphers it will not work, maybe because the server croaks because the client offers ciphers the server does not know or because of too much ciphers.
如果将其更改为仅允许使用此单个密码,则它对我有效,即
If one instead changes it to only allow this single cipher it works for me, i.e.
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'DES-CBC3-SHA'
这篇关于python3和请求:仍然出现"sslv3警报握手失败"的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!