Search code examples
python-requestspython-requests-html

Requests ignoring setting OP_NO_SSLv3

i'm trying to get a domain on a private server, but requests get continuously fails with sslv3 alert handshake failure.

I have configured the session to ignore sslv3 according to the blog post here https://lukasa.co.uk/2017/02/Configuring_TLS_With_Requests/ but it continues using it as statet in the exception message.

Any ideas what i am making wrong here?

Heres my minimal script:

import ssl
import requests
from requests.adapters import HTTPAdapter
from requests.packages.urllib3.util.ssl_ import create_urllib3_context

CIPHERS = (
    'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:'
    'DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:'
    '!eNULL:!MD5'
)

class DESAdapter(HTTPAdapter):
    """
    A TransportAdapter that re-enables 3DES support in Requests.
    """
    def create_ssl_context(self):
        ctx = ssl.create_default_context()
        # opt out the SSLv3
        ctx.options |= ssl.OP_NO_SSLv3
        ctx.set_ciphers( CIPHERS )
        return ctx

    def init_poolmanager(self, *args, **kwargs):
        kwargs['ssl_context'] = self.create_ssl_context()
        return super(DESAdapter, self).init_poolmanager(*args, **kwargs)

    def proxy_manager_for(self, *args, **kwargs):
        kwargs['ssl_context'] = self.create_ssl_context()
        return super(DESAdapter, self).proxy_manager_for(*args, **kwargs)

s = requests.Session()
s.mount('https://my-broken-intranet-domain.net:4942', DESAdapter())

# This will throw the error:
r = s.get('https://my-broken-intranet-domain.net:4942')

Exception has occurred: requests.exceptions.SSLError HTTPSConnectionPool(host='my-broken-intranet-domain.net', port=4942): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:1056)')))

With Curl, the request goes trough and the negotiated CIPHER and TLS are:

curl -v https://my-broken-intranet-domain.net:4942

...
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / DES-CBC3-SHA
* ALPN, server did not agree to a protocol
Versions:
Python 3.7.2

requests Version: 2.21.0
urllib3 Version: 1.24.1
OpenSSL 1.1.0j

Thanks for the help!

Solution

  • Related to Python 3.7.2.

    Closing this, as it is not present with 3.6.8