This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: test_ssl handshake failure
Type: Stage:
Components: Versions: Python 2.7
process
Status: closed Resolution: duplicate
Dependencies: Superseder: test_ssl.test_get_server_certificate() should use PROTOCOL_SSLv23, not PROTOCOL_SSLv3
View: 20896
Assigned To: Nosy List: benjamin.peterson, ddvento@ucar.edu, pitrou
Priority: normal Keywords:

Created on 2014-04-15 20:22 by ddvento@ucar.edu, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Messages (6)
msg216380 - (view) Author: (ddvento@ucar.edu) Date: 2014-04-15 20:22
Not sure if this is related with issue #13626 which is the only thing that Google knows about these handshake failures. In case it matters:

$ openssl version
OpenSSL 1.0.1f 6 Jan 2014

== CPython 2.7.6 (default, Apr 14 2014, 15:12:21) [GCC 4.8.2]
==   Linux-2.6.32-358.el6.x86_64-x86_64-with-redhat-6.4-Santiago little-endian
==   /glade/scratch/ddvento/build/Python-2.7.6/build/test_python_18521
Testing with flags: sys.flags(debug=0, py3k_warning=0, division_warning=0, division_new=0, inspect=0, interactive=0, optimize=0, dont_write_bytecode=0, no_user_site=0, no_site=0, ignore_environment=0, tabcheck=0, verbose=0, unicode=0, bytes_warning=0, hash_randomization=0)
test_ssl
test_sslwrap_simple (test.test_ssl.BasicTests) ... ok
test_DER_to_PEM (test.test_ssl.BasicSocketTests) ... ok
test_ciphers (test.test_ssl.BasicSocketTests) ... ok
test_constants (test.test_ssl.BasicSocketTests) ... ok
test_openssl_version (test.test_ssl.BasicSocketTests) ... ok
test_parse_cert (test.test_ssl.BasicSocketTests) ... 
{'notAfter': 'Oct  5 23:01:56 2020 GMT',
 'subject': ((('countryName', u'XY'),),
             (('localityName', u'Castle Anthrax'),),
             (('organizationName', u'Python Software Foundation'),),
             (('commonName', u'localhost'),)),
 'subjectAltName': (('DNS', 'localhost'),)}

{'issuer': ((('countryName', u'US'),),
            (('organizationName', u'VeriSign, Inc.'),),
            (('organizationalUnitName', u'VeriSign Trust Network'),),
            (('organizationalUnitName',
              u'Terms of use at https://www.verisign.com/rpa (c)10'),),
            (('commonName',
              u'VeriSign Class 3 International Server CA - G3'),)),
 'notAfter': 'Sep 20 23:59:59 2012 GMT',
 'notBefore': 'Sep 21 00:00:00 2011 GMT',
 'serialNumber': '2EE6EA7640A075CEE5005F4D7C79549A',
 'subject': ((('countryName', u'FI'),),
             (('stateOrProvinceName', u'Espoo'),),
             (('localityName', u'Espoo'),),
             (('organizationName', u'Nokia'),),
             (('organizationalUnitName', u'BI'),),
             (('commonName', u'projects.developer.nokia.com'),)),
 'subjectAltName': (('DNS', 'projects.developer.nokia.com'),
                    ('DNS', 'projects.forum.nokia.com')),
 'version': 3}
ok
test_parse_cert_CVE_2013_4238 (test.test_ssl.BasicSocketTests) ... 
{'issuer': ((('countryName', u'US'),),
            (('stateOrProvinceName', u'Oregon'),),
            (('localityName', u'Beaverton'),),
            (('organizationName', u'Python Software Foundation'),),
            (('organizationalUnitName', u'Python Core Development'),),
            (('commonName', u'null.python.org\x00example.org'),),
            (('emailAddress', u'python-dev@python.org'),)),
 'notAfter': 'Aug  7 13:12:52 2013 GMT',
 'notBefore': 'Aug  7 13:11:52 2013 GMT',
 'serialNumber': '00',
 'subject': ((('countryName', u'US'),),
             (('stateOrProvinceName', u'Oregon'),),
             (('localityName', u'Beaverton'),),
             (('organizationName', u'Python Software Foundation'),),
             (('organizationalUnitName', u'Python Core Development'),),
             (('commonName', u'null.python.org\x00example.org'),),
             (('emailAddress', u'python-dev@python.org'),)),
 'subjectAltName': (('DNS', 'altnull.python.org\x00example.com'),
                    ('email', 'null@python.org\x00user@example.org'),
                    ('URI', 'http://null.python.org\x00http://example.org'),
                    ('IP Address', '192.0.2.1'),
                    ('IP Address', '2001:DB8:0:0:0:0:0:1\n')),
 'version': 3}
ok
test_random (test.test_ssl.BasicSocketTests) ... 
 RAND_status is 1 (sufficient randomness)
ok
test_refcycle (test.test_ssl.BasicSocketTests) ... ok
test_wrapped_unconnected (test.test_ssl.BasicSocketTests) ... ok
test_algorithms (test.test_ssl.NetworkedTests) ... skipped 'remote host needs SNI, only available on Python 3.2+'
test_connect (test.test_ssl.NetworkedTests) ... ok
test_connect_ex (test.test_ssl.NetworkedTests) ... ok
test_connect_ex_error (test.test_ssl.NetworkedTests) ... ok
test_get_server_certificate (test.test_ssl.NetworkedTests) ... ERROR
test_makefile_close (test.test_ssl.NetworkedTests) ... ok
test_non_blocking_connect_ex (test.test_ssl.NetworkedTests) ... ok
test_non_blocking_handshake (test.test_ssl.NetworkedTests) ... 
Needed 3 calls to do_handshake() to establish session.
ok
test_timeout_connect_ex (test.test_ssl.NetworkedTests) ... ok
test_asyncore_server (test.test_ssl.ThreadedTests)
Check the example asyncore integration. ... 
 server:  new connection from 127.0.0.1:48912
 client:  sending 'TEST MESSAGE of mixed case\n'...
 client:  read 'test message of mixed case\n'
 client:  closing connection.
 cleanup: stopping server.
 cleanup: joining server thread.
 server:  closed connection <ssl.SSLSocket object at 0x2399140>
 cleanup: successfully joined.
ok
test_default_ciphers (test.test_ssl.ThreadedTests) ... ok
test_echo (test.test_ssl.ThreadedTests)
Basic test of an SSL client connecting to a server ... 
 server:  new connection from ('127.0.0.1', 43993)
 server: connection cipher is now ('AES256-SHA', 'TLSv1/SSLv3', 256)
 client:  sending 'FOO\n'...
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  sending bytearray(b'FOO\n')...
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  sending <memory at 0x237f510>...
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  closing connection.
 server: client closed connection
ok
test_empty_cert (test.test_ssl.ThreadedTests)
Connecting with an empty cert file ... 
SSLError is _ssl.c:354: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
ok
test_getpeercert (test.test_ssl.ThreadedTests) ... 
{'notAfter': 'Oct  5 23:01:56 2020 GMT',
 'subject': ((('countryName', u'XY'),),
             (('localityName', u'Castle Anthrax'),),
             (('organizationName', u'Python Software Foundation'),),
             (('commonName', u'localhost'),)),
 'subjectAltName': (('DNS', 'localhost'),)}
Connection cipher is ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256).
ok
test_handshake_timeout (test.test_ssl.ThreadedTests) ... ok
test_malformed_cert (test.test_ssl.ThreadedTests)
Connecting with a badly formatted certificate (syntax error) ... 
SSLError is _ssl.c:368: error:140DC009:SSL routines:SSL_CTX_use_certificate_chain_file:PEM lib
ok
test_malformed_key (test.test_ssl.ThreadedTests)
Connecting with a badly formatted key (syntax error) ... 
SSLError is _ssl.c:354: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
ok
test_nonexisting_cert (test.test_ssl.ThreadedTests)
Connecting with a non-existing cert file ... 
SSLError is _ssl.c:507: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca
ok
test_protocol_sslv2 (test.test_ssl.ThreadedTests)
Connecting to an SSLv2 server with various client options ... 
 SSLv2->SSLv2 CERT_NONE
 SSLv2->SSLv2 CERT_OPTIONAL
 SSLv2->SSLv2 CERT_REQUIRED
 SSLv23->SSLv2 CERT_NONE
 {SSLv3->SSLv2} CERT_NONE
 {TLSv1->SSLv2} CERT_NONE
ok
test_protocol_sslv23 (test.test_ssl.ThreadedTests)
Connecting to an SSLv23 server with various client options ... 
 SSLv3->SSLv23 CERT_NONE
 SSLv23->SSLv23 CERT_NONE
 TLSv1->SSLv23 CERT_NONE
 SSLv3->SSLv23 CERT_OPTIONAL
 SSLv23->SSLv23 CERT_OPTIONAL
 TLSv1->SSLv23 CERT_OPTIONAL
 SSLv3->SSLv23 CERT_REQUIRED
 SSLv23->SSLv23 CERT_REQUIRED
 TLSv1->SSLv23 CERT_REQUIRED
ok
test_protocol_sslv3 (test.test_ssl.ThreadedTests)
Connecting to an SSLv3 server with various client options ... 
 SSLv3->SSLv3 CERT_NONE
 SSLv3->SSLv3 CERT_OPTIONAL
 SSLv3->SSLv3 CERT_REQUIRED
 {SSLv2->SSLv3} CERT_NONE
 {TLSv1->SSLv3} CERT_NONE
ok
test_protocol_tlsv1 (test.test_ssl.ThreadedTests)
Connecting to a TLSv1 server with various client options ... 
 TLSv1->TLSv1 CERT_NONE
 TLSv1->TLSv1 CERT_OPTIONAL
 TLSv1->TLSv1 CERT_REQUIRED
 {SSLv2->TLSv1} CERT_NONE
 {SSLv3->TLSv1} CERT_NONE
ok
test_recv_send (test.test_ssl.ThreadedTests)
Test recv(), send() and friends. ... 
 server:  new connection from ('127.0.0.1', 56710)
 server: connection cipher is now ('AES256-SHA', 'TLSv1/SSLv3', 256)
ok
test_rude_shutdown (test.test_ssl.ThreadedTests)
A brutal shutdown of an SSL server should raise an IOError ... ok
test_socketserver (test.test_ssl.ThreadedTests)
Using a SocketServer to create and manage SSL connections. ... 
 server (('127.0.0.1', 42188):42188 ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)):
   [15/Apr/2014 14:14:53] "GET /keycert.pem HTTP/1.0" 200 -
 client: read 1783 bytes from remote server '<SocketServerHTTPSServer <HTTPSServer localhost.localdomain:42188>>'
ok
test_starttls (test.test_ssl.ThreadedTests)
Switching from clear text to encrypted and back again. ... 
 client:  sending 'msg 1'...
 server:  new connection from ('127.0.0.1', 50624)
 server: read 'msg 1' (unencrypted), sending back 'msg 1' (unencrypted)...
 client:  read 'msg 1' from server
 client:  sending 'MSG 2'...
 server: read 'MSG 2' (unencrypted), sending back 'msg 2' (unencrypted)...
 client:  read 'msg 2' from server
 client:  sending 'STARTTLS'...
 server: read STARTTLS from client, sending OK...
 client:  read 'OK\n' from server, starting TLS...
 client:  sending 'MSG 3'...
 server: read 'MSG 3' (encrypted), sending back 'msg 3' (encrypted)...
 client:  read 'msg 3' from server
 client:  sending 'msg 4'...
 server: read 'msg 4' (encrypted), sending back 'msg 4' (encrypted)...
 client:  read 'msg 4' from server
 client:  sending 'ENDTLS'...
 server: read ENDTLS from client, sending OK...
 client:  read 'OK\n' from server, ending TLS...
 server: connection is now unencrypted...
 client:  sending 'msg 5'...
 server: read 'msg 5' (unencrypted), sending back 'msg 5' (unencrypted)...
 client:  read 'msg 5' from server
 client:  sending 'msg 6'...
 server: read 'msg 6' (unencrypted), sending back 'msg 6' (unencrypted)...
 client:  read 'msg 6' from server
 client:  closing connection.
 server: client closed connection
ok
test_wrapped_accept (test.test_ssl.ThreadedTests)
Check the accept() method on SSL sockets. ... test test_ssl failed -- Traceback (most recent call last):
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/test/test_ssl.py", line 387, in test_get_server_certificate
    pem = ssl.get_server_certificate(("svn.python.org", 443))
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 448, in get_server_certificate
    s.connect(addr)
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 333, in connect
    self._real_connect(addr, False)
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 323, in _real_connect
    self.do_handshake()
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:507: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure


 server:  wrapped server socket as <ssl.SSLSocket object at 0x2399140>
 client:  sending 'FOO\n'...
 server:  new connection from ('127.0.0.1', 40291)
 client cert is {'notAfter': 'Oct  5 23:01:56 2020 GMT',
 'subject': ((('countryName', u'XY'),),
             (('localityName', u'Castle Anthrax'),),
             (('organizationName', u'Python Software Foundation'),),
             (('commonName', u'localhost'),)),
 'subjectAltName': (('DNS', 'localhost'),)}
 cert binary is 600 bytes
 server: connection cipher is now ('AES256-GCM-SHA384', 'TLSv1/SSLv3', 256)
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  sending bytearray(b'FOO\n')...
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  sending <memory at 0x240ecc8>...
 server: read 'FOO\n' (encrypted), sending back 'foo\n' (encrypted)...
 client:  read 'foo\n'
 client:  closing connection.
 server: client closed connection
ok

======================================================================
ERROR: test_get_server_certificate (test.test_ssl.NetworkedTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/test/test_ssl.py", line 387, in test_get_server_certificate
    pem = ssl.get_server_certificate(("svn.python.org", 443))
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 448, in get_server_certificate
    s.connect(addr)
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 333, in connect
    self._real_connect(addr, False)
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 323, in _real_connect
    self.do_handshake()
  File "/glade/scratch/ddvento/build/Python-2.7.6/Lib/ssl.py", line 305, in do_handshake
    self._sslobj.do_handshake()
SSLError: [Errno 1] _ssl.c:507: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

----------------------------------------------------------------------
Ran 37 tests in 4.950s

FAILED (errors=1, skipped=1)
1 test failed:
    test_ssl
msg216423 - (view) Author: Benjamin Peterson (benjamin.peterson) * (Python committer) Date: 2014-04-16 02:41
Very old version of openssl?
msg216475 - (view) Author: (ddvento@ucar.edu) Date: 2014-04-16 14:49
Despite this being Red Hat, this is not at all the case!

OpenSSL 1.0.1f has been released on Jan 6th, 2014 at 15:39:19 -- see 
https://www.openssl.org/source/
msg216477 - (view) Author: (ddvento@ucar.edu) Date: 2014-04-16 15:15
Just to make sure I'm using the right version:

Python 2.7.6 (default, Apr 14 2014, 15:12:21)
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
 >>> import ssl
 >>> ssl.OPENSSL_VERSION
'OpenSSL 1.0.1f 6 Jan 2014'
 >>>

On 04/16/2014 08:49 AM, Davide Del Vento wrote:
>
> ddvento@ucar.edu added the comment:
>
> Despite this being Red Hat, this is not at all the case!
>
> OpenSSL 1.0.1f has been released on Jan 6th, 2014 at 15:39:19 -- see
> https://www.openssl.org/source/
>
> ----------
>
> _______________________________________
> Python tracker <report@bugs.python.org>
> <http://bugs.python.org/issue21246>
> _______________________________________
>
msg216498 - (view) Author: Antoine Pitrou (pitrou) * (Python committer) Date: 2014-04-16 16:50
This was fixed in #20896 by a certain Benjamin Peterson.
msg216535 - (view) Author: (ddvento@ucar.edu) Date: 2014-04-16 18:07
Thanks. The reason why I overlook it is that #20896 did not list 2.7 as 
an affected version. I changed #20896 to prevent other people doing the 
same mistake
History
Date User Action Args
2022-04-11 14:58:01adminsetgithub: 65445
2014-04-16 18:07:32ddvento@ucar.edusetmessages: + msg216535
2014-04-16 16:50:21pitrousetstatus: open -> closed

nosy: + pitrou
messages: + msg216498

superseder: test_ssl.test_get_server_certificate() should use PROTOCOL_SSLv23, not PROTOCOL_SSLv3
resolution: duplicate
2014-04-16 15:15:06ddvento@ucar.edusetmessages: + msg216477
2014-04-16 14:49:04ddvento@ucar.edusetmessages: + msg216475
2014-04-16 02:41:59benjamin.petersonsetnosy: + benjamin.peterson
messages: + msg216423
2014-04-15 20:22:28ddvento@ucar.educreate