SSL v3握手失败(但仅在更新版本的OpenSSL中) [英] SSL v3 Handshake Failure (but only in newer versions of OpenSSL)
问题描述
Python 3.5中具有特定网站的基本代码段失败,并显示requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)
This basic snippet in Python 3.5, with a specific website, fails with requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)
import requests
requests.get("https://ssbp.mycampus.ca/prod_uoit/bwskfshd.P_CrseSchdDetl")
它在Ubuntu 16.04上运行良好,但在Debian Stretch上使用完全相同的脚本以及所有Python依赖项的相同版本失败.
It works perfectly fine on Ubuntu 16.04 , but the exact same script with the same versions of all its Python dependencies fails on Debian Stretch.
我已经尝试安装requests[security],并且没有区别.
我的安装之间唯一显着的区别是Debian的版本为OpenSSL 1.1.0c 10 Nov 2016,而Ubuntu的版本为OpenSSL 1.0.2g 1 Mar 2016.
I've tried installing requests[security] and it makes no difference.
The only notable difference between my installations is that Debian has OpenSSL 1.1.0c 10 Nov 2016 and Ubuntu has version OpenSSL 1.0.2g 1 Mar 2016.
以某种方式,新版本的OpenSSL必须导致其失败.
Somehow the newer version of OpenSSL must be causing it to fail.
使用的requests版本是2.11.1.
推荐答案
服务器 SWEET32 ),并且已从OpenSSL 1.1.0的默认内部版本中删除.由于Debian遵循默认构建,因此该密码在较新的Debian版本上不可用.
The server only supports a single old cipher: DES-CBC3-SHA. This cipher is considered weak (SWEET32) and is removed from the default build in OpenSSL 1.1.0. Since Debian follows the default build the cipher is not available on newer Debian versions.
要缓解SWEET32攻击(CVE-2016-2183),请使用3DES密码套件 与RC4一样,默认情况下已被禁用并从DEFAULT中删除. 请参阅下面的RC4项以重新启用两者.
...
基于RC4的libssl密码套件现在被归类为弱"密码,并且 默认禁用. 可以使用 enable-weak-ssl-ciphers选项以配置.
To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites have been disabled by default and removed from DEFAULT, just like RC4. See the RC4 item below to re-enable both.
...
RC4 based libssl ciphersuites are now classed as "weak" ciphers and are disabled by default. They can be re-enabled using the enable-weak-ssl-ciphers option to Configure.
这篇关于SSL v3握手失败(但仅在更新版本的OpenSSL中)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
