使用 Python 请求访问 Shibboleth 认证服务器的 SSL 错误 [英] SSL error using Python Requests to access Shibboleth authenticated server

问题描述

我正在尝试使用 Python 脚本访问由学术服务提供商 (SP) 托管的期刊文章.

I'm trying to access a journal article hosted by an academic service provider (SP), using a Python script.

服务器使用 Shibboleth 登录进行身份验证.我阅读了 使用 python 登录 SAML/Shibboleth 认证服务器 和尝试使用 Python 请求实现登录.

The server authenticates using a Shibboleth login. I read Logging into SAML/Shibboleth authenticated server using python and tried to implement a login with Python Requests.

脚本首先向 SP 查询通向我的 IDP 机构的链接，然后应该自动向 IDP 进行身份验证.第一部分工作，但当跟踪到 IDP 的链接时，它会因 SSL 错误而窒息.这是我使用的:

The script starts by querying the SP for the link leading to my IDP institution, and is supposed then to authenticate automatically with the IDP. The first part works, but when following the link to the IDP, it chokes on an SSL error. Here is what I used:

import requests
import lxml.html

LOGINLINK = 'https://www.jsave.org/action/showLogin?redirectUri=%2F'
USERAGENT = 'Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0'

s = requests.session()
s.headers.update({'User-Agent' : USERAGENT})

# getting the page where you can search for your IDP
# need to get the cookies so we can continue
response = s.get(LOGINLINK)
rtext = response.text
print('Don\'t see your school?' in rtext) # prints True

# POSTing the name of my institution
data = {
    'institutionName' : 'tubingen',
    'submitForm' : 'Search',
    'currUrl' : '%2Faction%2FshowBasicSearch',
    'redirectUri' : '%2F',
    'activity' : 'isearch'
}
response = s.post(BASEURL + '/action/showLogin', data=data)
rtext = response.text
print('university of tubingen' in rtext) # prints True

# get the link that leads to the IDP
tree = lxml.html.fromstring(rtext)
loginlinks = tree.cssselect('a.extLogin')
if (loginlinks):
    loginlink = loginlinks[0].get('href')
else: 
    exit(1)

print('continuing to IDP')
response = s.get(loginlink)
rtext = response.text
print('zentrale Anmeldeseite' in rtext)

这产生:

continuing to IDP...

2014-04-04 10:04:06,010 - INFO - Starting new HTTPS connection (1): idp.uni-tuebingen.de
Traceback (most recent call last):

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 480, in urlopen
body=body, headers=headers)

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 285, in _make_request
conn.request(method, url, **httplib_request_kw)

File "/usr/lib/python3.4/http/client.py", line 1066, in request
self._send_request(method, url, body, headers)

File "/usr/lib/python3.4/http/client.py", line 1104, in _send_request
self.endheaders(body)

File "/usr/lib/python3.4/http/client.py", line 1062, in endheaders
self._send_output(message_body)

File "/usr/lib/python3.4/http/client.py", line 907, in _send_output
self.send(msg)

File "/usr/lib/python3.4/http/client.py", line 842, in send
self.connect()

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/connection.py", line 164, in connect
ssl_version=resolved_ssl_version)

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/util.py", line 639, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)

File "/usr/lib/python3.4/ssl.py", line 344, in wrap_socket
_context=self)

File "/usr/lib/python3.4/ssl.py", line 540, in __init__
self.do_handshake()

File "/usr/lib/python3.4/ssl.py", line 767, in do_handshake
self._sslobj.do_handshake()

ssl.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:598)


During handling of the above exception, another exception occurred:

Traceback (most recent call last):

File "/usr/lib/python3.4/site-packages/requests/adapters.py", line 330, in send
timeout=timeout

File "/usr/lib/python3.4/site-packages/requests/packages/urllib3/connectionpool.py", line 504, in urlopen
raise SSLError(e)

requests.packages.urllib3.exceptions.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:598)


During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "./try.py", line 154, in <module>
response = s.get(loginlink)

File "/usr/lib/python3.4/site-packages/requests/sessions.py", line 395, in get
return self.request('GET', url, **kwargs)

File "/usr/lib/python3.4/site-packages/requests/sessions.py", line 383, in request
resp = self.send(prep, **send_kwargs)

File "/usr/lib/python3.4/site-packages/requests/sessions.py", line 486, in send
r = adapter.send(request, **kwargs)

File "/usr/lib/python3.4/site-packages/requests/adapters.py", line 385, in send
raise SSLError(e)

requests.exceptions.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:598)

使用 s.get(loginlink, verify=False) 会产生完全相同的错误.简单地使用 urllib.request.urlopen(loginlink) 也是如此.

Using s.get(loginlink, verify=False) yields exactly the same error. Simply using urllib.request.urlopen(loginlink) does so, too.

另一方面，将链接打印并粘贴到 Firefox 中可以正常工作.

Printing and pasting the link into Firefox, on the other hand, works fine.

推荐答案

尝试使用 openssl s_client 后，似乎目标 idp.uni-tuebingen.de:443 仅支持 SSLv3 并且在任何更新的东西.通过强制 SSLv3 获得:

After trying with openssl s_client it looks like the destination idp.uni-tuebingen.de:443 is only support SSLv3 and misbehaving on anything newer. With forcing SSLv3 one gets:

$ openssl s_client -connect idp.uni-tuebingen.de:443 -ssl3
CONNECTED(00000003)
depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2
...

但使用默认设置或强制使用 TLv1 (-tls1) 时，它只会返回警报:

But with default setup or forcing TLv1 (-tls1) it only returns an alert:

openssl s_client -connect idp.uni-tuebingen.de:443 
CONNECTED(00000003)
140493591938752:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:741:

因此您需要找到一种方法来强制此连接使用 SSLv3.我现在不熟悉 python，但也许 http://docs.python-requests.org/en/latest/user/advanced/ 章节示例:特定 SSL 版本"有帮助.

So you need to find a way to force SSLv3 for this connection. I'm not familiar with the python at this point but maybe http://docs.python-requests.org/en/latest/user/advanced/ chapter "Example: Specific SSL Version" helps.

以及为什么它适用于 firefox:如果与更安全版本的连接失败，浏览器通常会使用降级的 SSL 版本重试.例如.每个人都在尝试解决损坏的东西，因此损坏的东西的所有者无意修复它:(

And why it works with firefox: the browsers usually retry with a downgraded SSL version if the connects with the safer versions fail. E.g. everybody is trying to work around broken stuff so that the owner of the broken stuff has no intention to fix it :(

这篇关于使用 Python 请求访问 Shibboleth 认证服务器的 SSL 错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！