CODEWITHSUNDEEP
pythonpython-3.xsslpython-requests
doe
doe

Reputation: 57

Python requests gets TLSV1_ALERT_INTERNAL_ERROR

I am trying to connect to a website with requests that requires using a client certificate.

import requests
r = requests.get(url, cert='path to cert')
print(r.status_code)

This works for one site that uses the same client cert. That server is using TLS_RSA_WITH_AES_128_CBC_SHA, TLS 1.0. However my target site uses TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS 1.1. So basically the difference is TLS 1 works and TLS 1.1 doesn't. Everything works fine in browser so it must have something to do with Python's SSL.

I am using requests version 2.7.0 and I have requests[security] installed as well. pip freeze:

cffi==0.9.2
cryptography==0.8.1
ndg-httpsclient==0.3.3
pyasn1==0.1.7
pycparser==2.10
pyOpenSSL==0.15.1
requests==2.7.0
six==1.9.0

The specific error I am getting is requests.exceptions.SSLError: [SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:600). This is on Windows 7 with Python 3.4.3. Unfortunately this is on an internal machine so I am stuck with Windows and our internal mirror of PyPi does not have the latest versions of everything. It seems to me like this has something to do with ssl failing and not necessarily requests.

Google does not give back promising results. There is this StackOverflow post that describes the same problem, but the solution provided (using a custom adapter) does not work for me.

Hopefully someone else has run into this before and can give me some tips on how to fix it. Please and thanks.

EDIT: I did a wireshark capture of the interaction. The SSL alert sent back is "Level: Fatal (2) Description: Internal Error (80)". After the TCP connection start, my machine sends a client hello.

Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 512

Then the handshake protocol segment of that packet is

Handshake Type: Client Hello (1)
Length: 508
Version: TLS 1.2 (0x0301)

followed by a list of the supported cipher suites, etc. I looked in the list of cipher suites sent by my client and TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA is listed. The server ACKs this message then sends the Alert packet.

Upvotes: 4

Views: 9473

Answers (3)

Adán Escobar
Adán Escobar

Reputation: 4573

For me, request.request('GET'... instead of request.get(... works.

Upvotes: 1

drewango
drewango

Reputation: 47

And I got rid of the above SSLError by removing almost all the first entry:

requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:!eNULL:!MD5'

Upvotes: -1

truhanen
truhanen

Reputation: 663

I got rid of an identical SSLError by removing the first entry ECDH+AESGCM from requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS, with which the server seemed to have problems. The line

requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS = 'DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+HIGH:DH+HIGH:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+HIGH:RSA+3DES:!aNULL:!eNULL:!MD5'

solved the problem for me.

Upvotes: 2

Related Questions