无法连接到 TLS 服务器的请求 [英] Requests failing to connect to a TLS server

问题描述

我在追踪 requests 无法连接到特定主机的原因时遇到问题.

I'm having an issue tracking down why requests fails to connect to a specific host.

以下通过 curl 或浏览器可以正常工作:

The following works just fine via curl, or browser:

curl https://banking4.anz.com

但是，如果我使用请求:

However if I use requests:

requests.get('https://banking4.anz.com')

我明白了:

SSLError: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)

在网络上，我只看到客户端 hello 并且服务器立即断开连接，因此看起来没有任何 ssl 或密码不兼容.(我预计会出现 SSL 层错误)在这种情况下还有什么问题?

On the wire, I see only the client hello and the server disconnects immediately, so it doesn't seem like any ssl or cipher incompatibility. (I'd expect an SSL-layer error for those) What else could be an issue in this case?

我在 python 3.6.1 上使用请求 2.14.2(带有安全附加功能).

I'm on python 3.6.1 with requests 2.14.2 (with security extras).

推荐答案

此服务器在多个方面损坏.

This server is broken in multiple ways.

一方面，它只理解DES-CBC3-SHA 被视为不安全且未包含在 请求使用的默认密码集.此外，它似乎只检查 ClientHello 中提供的有限数量的密码，因此如果在此密码之前有太多其他提议，则不会看到客户端提供了 DES-CBC3-SHA.

For one, it only understands DES-CBC3-SHA which is considered insecure and not included in the default cipher set used by requests. Additionally it looks like that it only checks a limited number of offered ciphers in the ClientHello and thus will not see that DES-CBC3-SHA is offered by the client if too much other offers are before this cipher.

这个损坏的服务器的快速解决方法是只提供服务器支持的唯一密码:

A quick workaround for this broken server is to only offer the only cipher the server supports:

import requests
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'DES-CBC3-SHA'
requests.get('https://banking4.anz.com')

但请注意，这会将请求的默认密码列表设置为不安全的值.因此，如果您想连接到应用程序中的其他站点，则不应使用此方法.而是查看这个更复杂的解决方案，使用您自己的带有特定密码的 HTTPAdapter损坏网站的设置.

But note that this sets the default cipher list of requests to an insecure value. Thus this method should not be used if you want to connect to other sites within your application. Instead have a look at this more complex solution of using your own HTTPAdapter with specific cipher settings for the broken site.

这篇关于无法连接到 TLS 服务器的请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！