Certain https urls do not open using urllib2 (py2.6) and urllib(py3.1), but they open using the latest version of curl and firefox.
To reproduce:
>>> import urllib.request
>>> urllib.request.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
Traceback (most recent call last):
File "/usr/lib64/python3.1/urllib/request.py", line 1072, in do_open
h.request(req.get_method(), req.selector, req.data, headers)
File "/usr/lib64/python3.1/http/client.py", line 932, in request
self._send_request(method, url, body, headers)
File "/usr/lib64/python3.1/http/client.py", line 970, in _send_request
self.endheaders(body)
File "/usr/lib64/python3.1/http/client.py", line 928, in endheaders
self._send_output(message_body)
File "/usr/lib64/python3.1/http/client.py", line 782, in _send_output
self.send(msg)
File "/usr/lib64/python3.1/http/client.py", line 723, in send
self.connect()
File "/usr/lib64/python3.1/http/client.py", line 1055, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file)
File "/usr/lib64/python3.1/ssl.py", line 381, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "/usr/lib64/python3.1/ssl.py", line 135, in __init__
raise x
File "/usr/lib64/python3.1/ssl.py", line 131, in __init__
self.do_handshake()
File "/usr/lib64/python3.1/ssl.py", line 327, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib64/python3.1/urllib/request.py", line 121, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib64/python3.1/urllib/request.py", line 349, in open
response = self._open(req, data)
File "/usr/lib64/python3.1/urllib/request.py", line 367, in _open
'_open', req)
File "/usr/lib64/python3.1/urllib/request.py", line 327, in _call_chain
result = func(*args)
File "/usr/lib64/python3.1/urllib/request.py", line 1098, in https_open
return self.do_open(http.client.HTTPSConnection, req)
File "/usr/lib64/python3.1/urllib/request.py", line 1075, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 1] _ssl.c:488: error:14077417:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert illegal parameter>
Curl request:
$ curl https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="https://apps.uillinois.edu/selfservice/error/">here</A>.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server Server at ui2web1a.admin.uillinois.edu Port 443</ADDRESS>
</BODY></HTML>
|
The server seems to be sending a bad TLS handshake, so curl falls back on SSLv3 with TLS disabled.
curl 7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
curl -v https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse
* About to connect() to ui2web1.apps.uillinois.edu port 443 (#0)
* Trying 64.22.183.24... connected
* Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0)
* Initializing NSS with certpath: /etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* NSS error -12226
* Error in TLS handshake, trying SSLv3...
> GET /BANPROD1/bwskfcls.P_GetCrse HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: ui2web1.apps.uillinois.edu
> Accept: */*
>
* Connection died, retrying a fresh connect
* Closing connection #0
* Issue another request to this URL: 'https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse'
* About to connect() to ui2web1.apps.uillinois.edu port 443 (#0)
* Trying 64.22.183.24... connected
* Connected to ui2web1.apps.uillinois.edu (64.22.183.24) port 443 (#0)
* TLS disabled due to previous handshake failure
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* SSL connection using SSL_RSA_WITH_RC4_128_MD5
* Server certificate:
* subject: CN=ui2web1.apps.uillinois.edu,OU=AITS 20100517-25690,O=University of Illinois,L=Urbana,ST=Illinois,C=US
* start date: May 17 00:00:00 2010 GMT
* expire date: May 17 23:59:59 2011 GMT
* common name: ui2web1.apps.uillinois.edu
* issuer: E=premium-server@thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
> GET /BANPROD1/bwskfcls.P_GetCrse HTTP/1.1
> User-Agent: curl/7.20.1 (x86_64-redhat-linux-gnu) libcurl/7.20.1 NSS/3.12.8.0 zlib/1.2.3 libidn/1.16 libssh2/1.2.4
> Host: ui2web1.apps.uillinois.edu
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Wed, 16 Feb 2011 07:49:43 GMT
< Server: Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server
< Location: https://apps.uillinois.edu/selfservice/error/
< Connection: close
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="https://apps.uillinois.edu/selfservice/error/">here</A>.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.3.0 Oracle-HTTP-Server Server at ui2web1b.admin.uillinois.edu Port 443</ADDRESS>
</BODY></HTML>
* Closing connection #0
|
This works for 2.x, I'm closing this issue:
# custom HTTPS opener, banner's oracle 10g server supports SSLv3 only
import httplib, ssl, urllib2, socket
class HTTPSConnectionV3(httplib.HTTPSConnection):
def __init__(self, *args, **kwargs):
httplib.HTTPSConnection.__init__(self, *args, **kwargs)
def connect(self):
sock = socket.create_connection((self.host, self.port), self.timeout)
if self._tunnel_host:
self.sock = sock
self._tunnel()
try:
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv3)
except ssl.SSLError, e:
print("Trying SSLv3.")
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
class HTTPSHandlerV3(urllib2.HTTPSHandler):
def https_open(self, req):
return self.do_open(HTTPSConnectionV3, req)
# install opener
urllib2.install_opener(urllib2.build_opener(HTTPSHandlerV3()))
if __name__ == "__main__":
r = urllib2.urlopen("https://ui2web1.apps.uillinois.edu/BANPROD1/bwskfcls.P_GetCrse")
print(r.read())
|
Interesting... the posted Python code for 2.x didn't work for me on 2.6.9 on Mac OS X (10.10.5). The code in catch block further generates the below exception:
Traceback (most recent call last):
File "/tmp/t.py", line 17, in connect
self.sock = ssl.wrap_socket(sock, self.key_file, self.cert_file, ssl_version=ssl.PROTOCOL_SSLv23)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 338, in wrap_socket
suppress_ragged_eofs=suppress_ragged_eofs)
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 120, in __init__
self.do_handshake()
File "/System/Library/Frameworks/Python.framework/Versions/2.6/lib/python2.6/ssl.py", line 279, in do_handshake
self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:493: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Is there another workaround that is known to work with this version of Python?
|