Reputation: 4062
How to solve the handshake failure using ssl in python?
I try connect to specific https server:
socketHandler = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socketWraped = ssl.wrap_socket(socketHandler)
socketWraped.connect(('certificatedetails.com', 443))
But the python says:
File "/usr/lib/python3.6/ssl.py", line 1109, in connect
self._real_connect(addr, False)
File "/usr/lib/python3.6/ssl.py", line 1100, in _real_connect
self.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:852)
I try using TLS1:
socketWraped = ssl.wrap_socket(
socketHandler,
ssl_version=ssl.PROTOCOL_TLSv1,
ciphers='ADH-AES256-SHA'
)
But says:
ssl.SSLError: [SSL: NO_CIPHERS_AVAILABLE] no ciphers available (_ssl.c:852)
Have a upgraded ssl in python and operative system:
$ hostnamectl
Static hostname: machine
Icon name: computer-desktop
Chassis: desktop
Machine ID: ...
Boot ID: ...
Operating System: Ubuntu 18.04.2 LTS
Kernel: Linux 4.15.0-51-generic
Architecture: x86-64
$ openssl version
OpenSSL 1.1.1c 28 May 2019
$ python3 -c "import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.1.1c 28 May 2019
From netcat can connect without problems:
$ ncat --ssl -v certificatedetails.com 443
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: SSL connection to 104.28.6.163:443.
Ncat: SHA-1 fingerprint: 75B3 C6AD 7A72 62B5 7104 0632 0585 A82A F542 641B
What is the problem and how to solve this?
Upvotes: 1
Views: 16931
Answers (2)
Reputation: 165
To solve both SSLV3_ALERT_HANDSHAKE_FAILURE NO_CIPHERS_AVAILABLE the approch I recommend is
a) Find the maximum protocol accepted from the server using s_client on a linux box, for example :
openssl s_client -connect my_host:443 -tls1
(check man s_client for all possible protocols).
b) Once Connected, note the Cipher used by openssl
New, SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
c) Create your sslcontext accordingly
sslcontext = ssl.SSLContext(ssl.PROTOCOL_TLSv1)
sslcontext.set_ciphers("AES256-SHA")
sslcontext.load_default_certs()
Works for all librairies (requests, aiohttp...)
Upvotes: 3
Reputation: 48572
From the documentation:
Since Python 3.2 and 2.7.9, it is recommended to use the
SSLContext.wrap_socket()of anSSLContextinstance to wrap sockets asSSLSocketobjects. The helper functionscreate_default_context()returns a new context with secure default settings. The oldwrap_socket()function is deprecated since it is both inefficient and has no support for server name indication (SNI) and hostname matching.
When I use SSLContext.wrap_socket() instead of the deprecated wrap_socket(), it works:
socketHandler = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
socketWraped = ssl.create_default_context().wrap_socket(socketHandler, server_hostname='certificatedetails.com')
socketWraped.connect(('certificatedetails.com', 443))
Upvotes: 3
Related Questions
- python requests ssl handshake failure
- OpenSSL errors in python requests
- SSLError: ("bad handshake: SysCallError(54, 'ECONNRESET')",)
- Python SSL Bad Handshake
- Bad Handshake when using requests
- Python requests gives me "bad handshake" error
- HandShake Failure in python(_ssl.c:590)
- SSL v3 Handshake Failure (but only in newer versions of OpenSSL)
- OSX Python SSL handshake error
- SSLv3 alert handshake failure