SSL v3 握手失败(但仅限于较新版本的 OpenSSL) [英] SSL v3 Handshake Failure (but only in newer versions of OpenSSL)

问题描述

Python 3.5 中的这个基本片段，带有一个特定的网站，失败了 requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)

导入请求requests.get("https://ssbp.mycampus.ca/prod_uoit/bwskfshd.P_CrseSchdDetl")

它在 Ubuntu 16.04 上运行良好，但在 Debian Stretch 上使用相同版本的所有 Python 依赖项的完全相同的脚本失败.

我已经尝试安装 requests[security] 并没有什么区别.我的安装之间唯一显着的区别是 Debian 具有 OpenSSL 1.1.0c 2016 年 11 月 10 日，而 Ubuntu 具有 OpenSSL 1.0.2g 2016 年 3 月 1 日.

一定是较新版本的 OpenSSL 以某种方式导致它失败.

使用的requests版本是2.11.1.

解决方案

服务器 仅支持一个旧密码:DES-CBC3-SHA.此密码被认为是弱密码 (SWEET32)，已从 OpenSSL 1.1.0 的默认版本中删除.由于 Debian 遵循默认构建，因此密码在较新的 Debian 版本上不可用.

来自 1.0.2h 和 1.1.0 之间的变化:><块引用>

为了缓解 SWEET32 攻击 (CVE-2016-2183)，3DES 密码套件已默认禁用并从 DEFAULT 中删除，就像 RC4 一样.请参阅下面的 RC4 项目以重新启用两者.
...
基于 RC4 的 libssl 密码套件现在被归类为弱"密码，并且是默认禁用.可以使用启用-weak-ssl-ciphers 选项以进行配置.

This basic snippet in Python 3.5, with a specific website, fails with requests.exceptions.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:720)

import requests
requests.get("https://ssbp.mycampus.ca/prod_uoit/bwskfshd.P_CrseSchdDetl")

It works perfectly fine on Ubuntu 16.04 , but the exact same script with the same versions of all its Python dependencies fails on Debian Stretch.

I've tried installing requests[security] and it makes no difference. The only notable difference between my installations is that Debian has OpenSSL 1.1.0c 10 Nov 2016 and Ubuntu has version OpenSSL 1.0.2g 1 Mar 2016.

Somehow the newer version of OpenSSL must be causing it to fail.

The version of requests used is 2.11.1.

解决方案

The server only supports a single old cipher: DES-CBC3-SHA. This cipher is considered weak (SWEET32) and is removed from the default build in OpenSSL 1.1.0. Since Debian follows the default build the cipher is not available on newer Debian versions.

From Changes between 1.0.2h and 1.1.0:

To mitigate the SWEET32 attack (CVE-2016-2183), 3DES cipher suites have been disabled by default and removed from DEFAULT, just like RC4. See the RC4 item below to re-enable both.
...
RC4 based libssl ciphersuites are now classed as "weak" ciphers and are disabled by default. They can be re-enabled using the enable-weak-ssl-ciphers option to Configure.

这篇关于SSL v3 握手失败(但仅限于较新版本的 OpenSSL)的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！