Python - requests.exceptions.SSLError - dh 键太小 [英] Python - requests.exceptions.SSLError - dh key too small
问题描述
我正在使用 Python 和请求抓取一些内部页面.我已关闭 SSL 验证和警告.
I'm scraping some internal pages using Python and requests. I've turned off SSL verifications and warnings.
requests.packages.urllib3.disable_warnings()
page = requests.get(url, verify=False)
在某些服务器上,我收到无法通过的 SSL 错误.
On certain servers I receive an SSL error I can't get past.
Traceback (most recent call last):
File "scraper.py", line 6, in <module>
page = requests.get(url, verify=False)
File "/cygdrive/c/Users/jfeocco/VirtualEnv/scraping/lib/python3.4/site-packages/requests/api.py", line 71, in get
return request('get', url, params=params, **kwargs)
File "/cygdrive/c/Users/jfeocco/VirtualEnv/scraping/lib/python3.4/site-packages/requests/api.py", line 57, in request
return session.request(method=method, url=url, **kwargs)
File "/cygdrive/c/Users/jfeocco/VirtualEnv/scraping/lib/python3.4/site-packages/requests/sessions.py", line 475, in request
resp = self.send(prep, **send_kwargs)
File "/cygdrive/c/Users/jfeocco/VirtualEnv/scraping/lib/python3.4/site-packages/requests/sessions.py", line 585, in send
r = adapter.send(request, **kwargs)
File "/cygdrive/c/Users/jfeocco/VirtualEnv/scraping/lib/python3.4/site-packages/requests/adapters.py", line 477, in send
raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:600)
在 Windows 和 OSX 中,Cygwin 内外都会发生这种情况.我的研究暗示服务器上存在过时的 OpenSSL.我正在理想地寻找修复客户端.
This happens both in/out of Cygwin, in Windows and OSX. My research hinted at outdated OpenSSL on the server. I'm looking for a fix client side ideally.
我能够通过使用密码集来解决这个问题
I was able to resolve this by using a cipher set
import requests
requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += 'HIGH:!DH:!aNULL'
try:
requests.packages.urllib3.contrib.pyopenssl.DEFAULT_SSL_CIPHER_LIST += 'HIGH:!DH:!aNULL'
except AttributeError:
# no pyopenssl support used / needed / available
pass
page = requests.get(url, verify=False)
推荐答案
禁用警告或证书验证无济于事.潜在的问题是服务器使用的弱 DH 密钥可能会在 Logjam Attack 中被滥用.
Disabling warnings or certificate validation will not help. The underlying problem is a weak DH key used by the server which can be misused in the Logjam Attack.
要解决此问题,您需要选择一种不使用 Diffie Hellman 密钥交换的密码,因此不受弱 DH 密钥的影响.并且这个密码必须得到服务器的支持.不知道服务器支持什么,但您可以尝试使用密码 AES128-SHA 或 HIGH:!DH:!aNULL
To work around this you need to chose a cipher which does not make any use of Diffie Hellman Key Exchange and thus is not affected by the weak DH key. And this cipher must be supported by the server. It is unknown what the server supports but you might try with the cipher AES128-SHA or a cipher set of HIGH:!DH:!aNULL
将请求与您自己的密码集一起使用很棘手.请参阅为什么 Python 请求忽略验证参数?示例.
Using requests with your own cipher set is tricky. See Why does Python requests ignore the verify parameter? for an example.
这篇关于Python - requests.exceptions.SSLError - dh 键太小的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
