➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2011-02-16 04:15 by Ian.Wetherbee, last changed 2022-04-11 14:57 by admin. This issue is now closed.
| Messages (8) | |||
|---|---|---|---|
| msg128626 - (view) | Author: Ian Wetherbee (Ian.Wetherbee) | Date: 2011-02-16 04:15 | |
Certain https urls do not open using urllib2 (py2.6) and urllib(py3.1), but they open using the latest version of curl and firefox.
To reproduce:
>>> import urllib.request
>>> urllib.request.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
Traceback (most recent call last):
File "/usr/lib64/python3.1/urllib/request.py", line 1072, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "/usr/lib64/python3.1/http/client.py", line 932, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python3.1/http/client.py", line 970, in _send_request
self.endheaders(body)
File "/usr/lib64/python3.1/http/client.py", line 928, in endheaders
self._send_output(message_body)
File "/usr/lib64/python3.1/http/client.py", line 782, in _send_output
self.send(msg)
File "/usr/lib64/python3.1/http/client.py", line 723, in send
self.connect()
File "/usr/lib64/python3.1/http/client.py", line 1055, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
File "/usr/lib64/python3.1/ssl.py", line 381, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "/usr/lib64/python3.1/ssl.py", line 135, in __init__
raise x
File "/usr/lib64/python3.1/ssl.py", line 131, in __init__
self.do_handshake()
File "/usr/lib64/python3.1/ssl.py", line 327, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.1/urllib/request.py", line 121, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib64/python3.1/urllib/request.py", line 349, in open
response = self._open(req, data)
File "/usr/lib64/python3.1/urllib/request.py", line 367, in _open
'_open', req)
File "/usr/lib64/python3.1/urllib/request.py", line 327, in _call_chain
result = func(*args)
File "/usr/lib64/python3.1/urllib/request.py", line 1098, in https_open
return self.do_open(http.client.HTTPSConnection, req)
File "/usr/lib64/python3.1/urllib/request.py", line 1075, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter>
Curl request:
$ curl https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="https://apps.uillinois.edu/selfservice/error/">here</A>.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server Server at ui2web1a.admin.uillinois.edu Port 443</ADDRESS>
</BODY></HTML>
|
|||
| msg128632 - (view) | Author: Senthil Kumaran (orsenthil) *  |
Date: 2011-02-16 08:56 | |
curl (7.21.0) fails with the same error message too for the target website. (Is the server doing anything different. For other HTTPS sites (which also use redirection) urllib.request works fine ) senthil@ubuntu:~/python/py3k$ curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse * About to connect() to ui2web1.apps.uillinois.edu port 443 (#0) * Trying 64.22.183.24... connected * Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter * Closing connection #0 curl: (35) error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter |
|||
| msg128633 - (view) | Author: Ian Wetherbee (Ian.Wetherbee) | Date: 2011-02-16 09:10 | |
The server seems to be sending a bad TLS handshake, so curl falls back on SSLv3 with TLS disabled. curl 7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4 Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse * About to connect() to ui2web1.apps.uillinois.edu port 443 (#0) * Trying 64.22.183.24... connected * Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0) * Initializing NSS with certpath: /etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12226 * Error in TLS handshake, trying SSLv3... > GET /BANPROD1/bwskfcls.P_GetCrse HTTP/1.1 > User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4 > Host: ui2web1.apps.uillinois.edu > Accept: */* > * Connection died, retrying a fresh connect * Closing connection #0 * Issue another request to this URL: 'https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse' * About to connect() to ui2web1.apps.uillinois.edu port 443 (#0) * Trying 64.22.183.24... connected * Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0) * TLS disabled due to previous handshake failure * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using SSL_RSA_WITH_RC4_128_MD5 * Server certificate: * subject: CN=ui2web1.apps.uillinois.edu,OU=AITS 20100517-25690,O=University of Illinois,L=Urbana,ST=Illinois,C=US * start date: May 17 00:00:00 2010 GMT * expire date: May 17 23:59:59 2011 GMT * common name: ui2web1.apps.uillinois.edu * issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA > GET /BANPROD1/bwskfcls.P_GetCrse HTTP/1.1 > User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4 > Host: ui2web1.apps.uillinois.edu > Accept: */* > < HTTP/1.1 302 Found < Date: Wed, 16 Feb 2011 07:49:43 GMT < Server: Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server < Location: https://apps.uillinois.edu/selfservice/error/ < Connection: close < Transfer-Encoding: chunked < Content-Type: text/html; charset=iso-8859-1 < <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>302 Found</TITLE> </HEAD><BODY> <H1>Found</H1> The document has moved <A HREF="https://apps.uillinois.edu/selfservice/error/">here</A>.<P> <HR> <ADDRESS>Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server Server at ui2web1b.admin.uillinois.edu Port 443</ADDRESS> </BODY></HTML> * Closing connection #0 |
|||
| msg128635 - (view) | Author: Senthil Kumaran (orsenthil) * |
Date: 2011-02-16 09:47 | |
The problem is the server strictly accepts SSLv3 only and urllib and http.client send SSLv23 protocol.
(In http/client.py, line 1077)
if context is None:
# Some reasonable defaults
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
context.options |= ssl.OP_NO_SSLv2
will_verify = context.verify_mode != ssl.CERT_NONE
However, in order to use only SSLv3, one can set the context to ssl.PROTOCOL_SSLv3 in the HTTPSHandler and use it.
import urllib.request
import ssl
https_sslv3_handler = urllib.request.HTTPSHandler(context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))
opener = urllib.request.build_opener(https_sslv3_handler)
urllib.request.install_opener(opener)
urllib.request.urlopen('https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse')
|
|||
| msg128651 - (view) | Author: Antoine Pitrou (pitrou) * |
Date: 2011-02-16 11:02 | |
I get an error using the following curl too: curl 7.20.1 (x86_64-mandriva-linux-gnu) libcurl/7.20.1 OpenSSL/1.0.0a zlib/1.2.3 libidn/1.18 libssh2/1.2.5 Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz The same URL sends wget into a loop: $ LANG=C wget -v -O - https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse --2011-02-16 12:01:39-- https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse Resolving ui2web1.apps.uillinois.edu... 64.22.183.24 Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected. HTTP request sent, awaiting response... No data received. Retrying. --2011-02-16 12:01:40-- (try: 2) https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected. HTTP request sent, awaiting response... No data received. Retrying. --2011-02-16 12:01:43-- (try: 3) https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected. HTTP request sent, awaiting response... No data received. Retrying. IMO, this all points to the remote server being poorly compliant. Senthil's solution seems good enough here. |
|||
| msg128684 - (view) | Author: Ian Wetherbee (Ian.Wetherbee) | Date: 2011-02-16 17:52 | |
Any solution for 2.x? I'm using this with twisted. |
|||
| msg128686 - (view) | Author: Ian Wetherbee (Ian.Wetherbee) | Date: 2011-02-16 18:23 | |
This works for 2.x, I'm closing this issue:
# custom HTTPS opener, banner's oracle 10g server supports SSLv3 only
import httplib, ssl, urllib2, socket
class HTTPSConnectionV3(httplib.HTTPSConnection):
def __init__(self, *args, **kwargs):
httplib.HTTPSConnection.__init__(self, *args, **kwargs)
def connect(self):
sock = socket.create_connection((self.host, self.port), self.timeout)
if self._tunnel_host:
self.sock = sock
self._tunnel()
try:
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
except ssl.SSLError, e:
print("Trying SSLv3.")
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
class HTTPSHandlerV3(urllib2.HTTPSHandler):
def https_open(self, req):
return self.do_open(HTTPSConnectionV3, req)
# install opener
urllib2.install_opener(urllib2.build_opener(HTTPSHandlerV3()))
if __name__ == "__main__":
r = urllib2.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
print(r.read())
|
|||
| msg256462 - (view) | Author: Hari Krishna Dara (haridsv) | Date: 2015-12-15 15:57 | |
Interesting... the posted Python code for 2.x didn't work for me on 2.6.9 on Mac OS X (10.10.5). The code in catch block further generates the below exception:
Traceback (most recent call last):
File "/tmp/t.py", line 17, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 338, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 120, in __init__
self.do_handshake()
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 279, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:493: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Is there another workaround that is known to work with this version of Python?
|
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:57:12 | admin | set | github: 55429 |
| 2015-12-15 15:57:43 | haridsv | set | nosy:
+ haridsv messages: + msg256462 |
| 2013-09-20 11:27:02 | Arfrever | set | messages: - msg198140 |
| 2013-09-20 11:27:00 | Arfrever | set | messages: - msg198139 |
| 2013-09-20 11:25:43 | Arfrever | set | nosy:
- mrDoctorWho0.. title: Sometimes library raises URLError when trying POST with httpS -> https sslv3 error 14077417: illegal parameter versions: + Python 2.6, Python 3.1, - Python 2.7 |
| 2013-09-20 10:49:41 | mrDoctorWho0.. | set | files: - code.py |
| 2013-09-20 10:49:23 | mrDoctorWho0.. | set | messages: + msg198140 |
| 2013-09-20 10:48:10 | mrDoctorWho0.. | set | files:
+ code.py components: + Library (Lib), - None versions: + Python 2.7, - Python 2.6, Python 3.1 nosy: + mrDoctorWho0.. title: https sslv3 error 14077417: illegal parameter -> Sometimes library raises URLError when trying POST with httpS messages: + msg198139 |
| 2011-02-16 18:23:19 | Ian.Wetherbee | set | status: open -> closed messages: + msg128686 resolution: works for me nosy: orsenthil, pitrou, Ian.Wetherbee |
| 2011-02-16 17:52:46 | Ian.Wetherbee | set | status: pending -> open messages: + msg128684 resolution: rejected -> (no value) nosy: orsenthil, pitrou, Ian.Wetherbee |
| 2011-02-16 11:02:32 | pitrou | set | status: open -> pending messages: + msg128651 resolution: rejected nosy: orsenthil, pitrou, Ian.Wetherbee |
| 2011-02-16 09:47:48 | orsenthil | set | nosy:
orsenthil, pitrou, Ian.Wetherbee messages: + msg128635 |
| 2011-02-16 09:10:44 | Ian.Wetherbee | set | nosy:
orsenthil, pitrou, Ian.Wetherbee messages: + msg128633 |
| 2011-02-16 08:56:02 | orsenthil | set | nosy:
+ orsenthil messages: + msg128632 |
| 2011-02-16 06:49:46 | georg.brandl | set | nosy:
+ pitrou |
| 2011-02-16 04:15:42 | Ian.Wetherbee | create | |