使用 urllib2 的 SSLv3 警报握手失败 [英] SSLv3 alert handshake failure with urllib2

问题描述

我在 Python 2.7.10 下使用 urllib2 连接 https 时遇到问题.

I'm having troubles connecting with https using urllib2 under Python 2.7.10.

有什么我想念的吗?

Python 2.7.10 (default, Jun 18 2015, 10:53:24) 
[GCC 4.4.5] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import ssl, urllib2
>>> ssl.HAS_SNI
True
>>> ssl.OPENSSL_VERSION
'OpenSSL 0.9.8o 01 Jun 2010'
>>> opener = urllib2.build_opener()
>>> opener.open('https://twitrss.me/')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 431, in open
    response = self._open(req, data)
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 449, in _open
    '_open', req)
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 409, in _call_chain
    result = func(*args)
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 1240, in https_open
    context=self._context)
  File "/usr/local/python2.7/lib/python2.7/urllib2.py", line 1197, in do_open
    raise URLError(err)
urllib2.URLError: <urlopen error [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:590)>

推荐答案

我能够在 OS X 10.10.3 上复制您的问题，其库存 Python 是使用 OpenSSL 0.9.8zd 构建的 2.7.6.

I was able to duplicate your problem on OS X 10.10.3, whose stock Python is 2.7.6 built with OpenSSL 0.9.8zd.

问题在于 TLS 中缺少 服务器名称指示 (SNI) 扩展twitrss.me 网站显然需要握手:

The problem is the lack of the Server Name Indication (SNI) extension in the TLS handshake, which the twitrss.me site apparently requires:

服务器名称指示 (SNI) 是 TLS 计算机的扩展客户端指示它的主机名的网络协议正在尝试在握手过程开始时连接到.

Server Name Indication (SNI) is an extension to the TLS computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.

我通过使用 OpenSSL 编写一个小型 C++ 程序并插入 OpenSSL 调用来验证这一点

I verified this by writing a small C++ program with OpenSSL, and inserting the OpenSSL call

SSL_set_tlsext_host_name(ssl, "twitrss.me");

允许连接成功，而忽略连接失败.我还查看了数据包转储，以验证在尝试使用 Python 连接时是否缺少 SNI.

allows a successful connection while omitting it fails. I also looked at packet dumps to verify that SNI was missing when attempting connection using Python.

Python SSL 模块显然 在 Python 3 中支持 SNI，但可能需要在 Python 2 中解决问题.PEP 0466 似乎包含 SNI 并登陆 Python 2.7.9，所以你应该拥有它，但我不知道 urllib2/urllib3 是否在没有解决方法的情况下利用它.

The Python SSL module apparently supports SNI in Python 3 but may require a workaround in Python 2. It appears that PEP 0466 includes SNI and landed in Python 2.7.9, so you should have it, but I don't know if urllib2/urllib3 take advantage of that without the workaround.

这篇关于使用 urllib2 的 SSLv3 警报握手失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！