classification
Title: https sslv3 error 14077417: illegal parameter
Type: behavior Stage:
Components: None Versions: Python 3.1, Python 2.6
process
Status: closed Resolution: works for me
Dependencies: Superseder:
Assigned To: Nosy List: Ian.Wetherbee, orsenthil, pitrou
Priority: normal Keywords:

Created on 2011-02-16 04:15 by Ian.Wetherbee, last changed 2011-02-16 18:23 by Ian.Wetherbee. This issue is now closed.

Messages (7)
msg128626 - (view) Author: Ian Wetherbee (Ian.Wetherbee) Date: 2011-02-16 04:15 
Certain https urls do not open using urllib2 (py2.6) and urllib(py3.1), but they open using the latest version of curl and firefox.

To reproduce:
>>> import urllib.request
>>> urllib.request.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
Traceback (most recent call last):
  File "/usr/lib64/python3.1/urllib/request.py", line 1072, in do_open
    h.request(req.get_method(), req.selector, req.data, headers)
  File "/usr/lib64/python3.1/http/client.py", line 932, in request
    self._send_request(method, url, body, headers)
  File "/usr/lib64/python3.1/http/client.py", line 970, in _send_request
    self.endheaders(body)
  File "/usr/lib64/python3.1/http/client.py", line 928, in endheaders
    self._send_output(message_body)
  File "/usr/lib64/python3.1/http/client.py", line 782, in _send_output
    self.send(msg)
  File "/usr/lib64/python3.1/http/client.py", line 723, in send
    self.connect()
  File "/usr/lib64/python3.1/http/client.py", line 1055, in connect
    self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
  File "/usr/lib64/python3.1/ssl.py", line 381, in wrap_socket
    suppress_ragged_eofs=suppress_ragged_eofs)
  File "/usr/lib64/python3.1/ssl.py", line 135, in __init__
    raise x
  File "/usr/lib64/python3.1/ssl.py", line 131, in __init__
    self.do_handshake()
  File "/usr/lib64/python3.1/ssl.py", line 327, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.1/urllib/request.py", line 121, in urlopen
    return _opener.open(url, data, timeout)
  File "/usr/lib64/python3.1/urllib/request.py", line 349, in open
    response = self._open(req, data)
  File "/usr/lib64/python3.1/urllib/request.py", line 367, in _open
    '_open', req)
  File "/usr/lib64/python3.1/urllib/request.py", line 327, in _call_chain
    result = func(*args)
  File "/usr/lib64/python3.1/urllib/request.py", line 1098, in https_open
    return self.do_open(http.client.HTTPSConnection, req)
  File "/usr/lib64/python3.1/urllib/request.py", line 1075, in do_open
    raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter>

Curl request:
$ curl https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="https://apps.uillinois.edu/selfservice/error/">here</A>.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server Server at ui2web1a.admin.uillinois.edu Port 443</ADDRESS>
</BODY></HTML>
msg128632 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2011-02-16 08:56 
curl (7.21.0) fails with the same error message too for the target website. (Is the server doing anything different. For other HTTPS sites (which also use redirection) urllib.request works fine )

senthil@ubuntu:~/python/py3k$ curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
* About to connect() to ui2web1.apps.uillinois.edu port 443 (#0)
*   Trying 64.22.183.24... connected
* Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
* Closing connection #0
curl: (35) error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
msg128633 - (view) Author: Ian Wetherbee (Ian.Wetherbee) Date: 2011-02-16 09:10 
The server seems to be sending a bad TLS handshake, so curl falls back on SSLv3 with TLS disabled.

curl 7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 

curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
* About to connect() to ui2web1.apps.uillinois.edu port 443 (#0)
*   Trying 64.22.183.24... connected
* Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12226
* Error in TLS handshake, trying SSLv3...
> GET /BANPROD1/bwskfcls.P_GetCrse HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: ui2web1.apps.uillinois.edu
> Accept: */*
> 
* Connection died, retrying a fresh connect
* Closing connection #0
* Issue another request to this URL: 'https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse'
* About to connect() to ui2web1.apps.uillinois.edu port 443 (#0)
*   Trying 64.22.183.24... connected
* Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0)
* TLS disabled due to previous handshake failure
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_MD5
* Server certificate:
* 	subject: CN=ui2web1.apps.uillinois.edu,OU=AITS 20100517-25690,O=University of Illinois,L=Urbana,ST=Illinois,C=US
* 	start date: May 17 00:00:00 2010 GMT
* 	expire date: May 17 23:59:59 2011 GMT
* 	common name: ui2web1.apps.uillinois.edu
* 	issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
> GET /BANPROD1/bwskfcls.P_GetCrse HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: ui2web1.apps.uillinois.edu
> Accept: */*
> 
< HTTP/1.1 302 Found
< Date: Wed, 16 Feb 2011 07:49:43 GMT
< Server: Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server
< Location: https://apps.uillinois.edu/selfservice/error/
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=iso-8859-1
< 
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="https://apps.uillinois.edu/selfservice/error/">here</A>.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server Server at ui2web1b.admin.uillinois.edu Port 443</ADDRESS>
</BODY></HTML>
* Closing connection #0
msg128635 - (view) Author: Senthil Kumaran (orsenthil) * (Python committer) Date: 2011-02-16 09:47 
The problem is the server strictly accepts SSLv3 only and urllib and http.client send SSLv23 protocol.

(In http/client.py, line 1077)
             if context is None:
                 # Some reasonable defaults
                 context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
                 context.options |= ssl.OP_NO_SSLv2
             will_verify = context.verify_mode != ssl.CERT_NONE


However, in order to use only SSLv3, one can set the context to ssl.PROTOCOL_SSLv3 in the HTTPSHandler and use it.

import urllib.request
import ssl
https_sslv3_handler = urllib.request.HTTPSHandler(context=ssl.SSLContext(ssl.PROTOCOL_SSLv3))
opener = urllib.request.build_opener(https_sslv3_handler)
urllib.request.install_opener(opener)
urllib.request.urlopen('https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse')
msg128651 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2011-02-16 11:02 
I get an error using the following curl too:

curl 7.20.1 (x86_64-mandriva-linux-gnu) libcurl/7.20.1 OpenSSL/1.0.0a zlib/1.2.3 libidn/1.18 libssh2/1.2.5
Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz 

The same URL sends wget into a loop:

$ LANG=C wget -v -O - https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
--2011-02-16 12:01:39--  https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
Resolving ui2web1.apps.uillinois.edu... 64.22.183.24
Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

--2011-02-16 12:01:40--  (try: 2)  https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying.

--2011-02-16 12:01:43--  (try: 3)  https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
Connecting to ui2web1.apps.uillinois.edu|64.22.183.24|:443... connected.
HTTP request sent, awaiting response... No data received.
Retrying.


IMO, this all points to the remote server being poorly compliant. Senthil's solution seems good enough here.
msg128684 - (view) Author: Ian Wetherbee (Ian.Wetherbee) Date: 2011-02-16 17:52 
Any solution for 2.x? I'm using this with twisted.
msg128686 - (view) Author: Ian Wetherbee (Ian.Wetherbee) Date: 2011-02-16 18:23 
This works for 2.x, I'm closing this issue:

# custom HTTPS opener, banner's oracle 10g server supports SSLv3 only
import httplib, ssl, urllib2, socket
class HTTPSConnectionV3(httplib.HTTPSConnection):
    def __init__(self, *args, **kwargs):
        httplib.HTTPSConnection.__init__(self, *args, **kwargs)
        
    def connect(self):
        sock = socket.create_connection((self.host, self.port), self.timeout)
        if self._tunnel_host:
            self.sock = sock
            self._tunnel()
        try:
            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
        except ssl.SSLError, e:
            print("Trying SSLv3.")
            self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
            
class HTTPSHandlerV3(urllib2.HTTPSHandler):
    def https_open(self, req):
        return self.do_open(HTTPSConnectionV3, req)
# install opener
urllib2.install_opener(urllib2.build_opener(HTTPSHandlerV3()))

if __name__ == "__main__":
    r = urllib2.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
    print(r.read())
History
Date User Action Args
2011-02-16 18:23:19Ian.Wetherbeesetstatus: open -> closed

messages: + msg128686
resolution: works for me
nosy: orsenthil, pitrou, Ian.Wetherbee
2011-02-16 17:52:46Ian.Wetherbeesetstatus: pending -> open

messages: + msg128684
resolution: rejected -> (no value)
nosy: orsenthil, pitrou, Ian.Wetherbee
2011-02-16 11:02:32pitrousetstatus: open -> pending

messages: + msg128651
resolution: rejected
nosy: orsenthil, pitrou, Ian.Wetherbee
2011-02-16 09:47:48orsenthilsetnosy: orsenthil, pitrou, Ian.Wetherbee
messages: + msg128635
2011-02-16 09:10:44Ian.Wetherbeesetnosy: orsenthil, pitrou, Ian.Wetherbee
messages: + msg128633
2011-02-16 08:56:02orsenthilsetnosy: + orsenthil
messages: + msg128632
2011-02-16 06:49:46georg.brandlsetnosy: + pitrou
2011-02-16 04:15:42Ian.Wetherbeecreate